Anyone know how I can do event-level filtering that matches events based on membership in an AD group?
Specifically, I'm looking to send any and all events that have to do with the members of the "domain administrators" Active Directory group to a separate index. From there I can control permissions to that index to keep Domain Admin activity segregated. (Of course, the concept could be applied to any other AD group, OU, etc.)
Can event-level filtering be done by matching events with the results of an LDAP query, or CSV lookup, where the CSV is generated by a scheduled non-splunk job??
(Or, do I have to write a shell script to do an LDAP query and figure out how to safely update the appropriate config files using the script??)
No, I never did. Splunk support was also unable to provide a way to do this. The only thing I can think to do is to custom-write a script that does the ldap query for you and modifies a regex in the splunk configs.... but last I knew there was no built in way to do this. However -- I haven't checked to see if this might have been a new feature in recent releases.
Heh... just re-read my original question... seems I'm at the same conclusion I was when I wrote the question. External script would have to be the solution.
It seems like this is exactly what ldapsearch is meant to do, but I can't figure out the search. I have my event search, then I want to filter events if the user field name matches the sAMAaccount field as memberOf an ldap group.