- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- How do I use LDAP Search command, but still retain...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I want to use ldapfilter (or other LDAP search command) to try finding an object in AD, but if the object is not found, I want to still retain the event. Basically, the search below results not results because mydomain and the Sid are not found. I want it to sill return the Sid.
| makeresults
| eval Sid="S-1-5-21-111111111-111111111-1111111111-11111"
| ldapfilter domain=mydomain search="(objectSid=$Sid$)" attrs=cn
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Perhaps wrapping the ldapfilter command in an appendpipe will give you what you're looking for:
| makeresults
| eval Sid="S-1-5-21-111111111-111111111-1111111111-11111"
| appendpipe
[| ldapfilter domain=mydomain search="(objectSid=$Sid$)" attrs=cn ]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Perhaps wrapping the ldapfilter command in an appendpipe will give you what you're looking for:
| makeresults
| eval Sid="S-1-5-21-111111111-111111111-1111111111-11111"
| appendpipe
[| ldapfilter domain=mydomain search="(objectSid=$Sid$)" attrs=cn ]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, that's what I was looking for. Just need more practice with append commands. I tried map and appendcols, which didn't help.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yeah, it's not always easy to wrap your head around the options in Splunk. 🙂
Once you progress this to something more than a toy demo (like - you have a series of Sid values you are looking up, some of which are found by the ldapfilter command and some of which are not), you'll probably need to add a transforming command after the subsearch to filter duplicates and such.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yup. Did that with:
| sort Sid -cn
| dedup Sid
And it keeps only the ones which have a cn, if there are two entries for a Sid. I know dedup is not most efficient, but the number of results is small.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would try something like a combo of eval / if / isnull() to see if a field has data in, or exists then carry out actions after that ???
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Could you elaborate? There is data in the field, it just may not be found in LDAP.
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
