All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to modify the built in macro to exclude a particular OU?

jms112080
New Member
‎04-23-2018 04:44 PM

I'm using the inactive users macro for example and I have a particular OU i'd like to ignore. I'd prefer to do it in the ldapsearch itself but if it must be done with the data that's present in Splunk after the search that will work as well. The macro below is default with the exception of adding the "distinguishedName" attribute to the table and ldap "attrs". I've tried various things with the ldapsearch itself and I think I'm hitting limitations of Microsoft's LDAP implementation. Once the data is returned to Splunk it seems like I should be able to filter out anything that contains "distinguishedName=OU=offendingou". If anyone has any ideas please let me know. Thanks.

ldapsearch domain="$domain$" search="(&(objectclass=user)(!(objectclass=computer))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))" attrs="sAMAccountName,cn,userPrincipalName,userAccountControl,distinguishedName"

|join type=outer sAMAccountName [search eventtype=msad-successful-user-logons dest_nt_domain="$domain$"|stats max(_time) as lastLogonTime by user|rename user as sAMAccountName]|where isnull(lastLogonTime) | table sAMAccountName,cn,userPrincipalName,userAccountControl,distinguishedName

0 Karma
Reply

adonio
Ultra Champion
‎04-23-2018 06:17 PM

hope i understand your question,
try to add a NOT after the eventtype=msad-successful-user-logons
something like this:

ldapsearch domain="$domain$" search="(&(objectclass=user)(!(objectclass=computer))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))" attrs="sAMAccountName,cn,userPrincipalName,userAccountControl,distinguishedName" 
|join type=outer sAMAccountName [search eventtype=msad-successful-user-logons NOT ("distinguishedName=offendingou OR OU=offendingou") dest_nt_domain="$domain$"|stats max(_time) as lastLogonTime by user|rename user as sAMAccountName]|where isnull(lastLogonTime) | table sAMAccountName,cn,userPrincipalName,userAccountControl,distinguishedName

first try the subsearch first to make sure it ignores the OU

index = YOUR_WINDOWS_AD_INDEX eventtype=msad-successful-user-logons NOT ("distinguishedName=offendingou OR OU=offendingou")

hope it helps

0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...