Solved: Is there any way around Splunk waiting for a cmd i...

Ed_Alias · ‎07-25-2016

Hi, i want to list members of a group and then list their groups in active directory,

for that i have a lookup with all users, i request and format my list so it is nice for the ldap search :

|inputlookup Domaine_LOL | search memberOf=*team_1* | table sAMAccountName | format "|" "(" "(" ")" " " ")"

then i make my ldapsearch, the "static" version is as follow :

| ldapsearch search="(&(objectClass=user)(|(cn=*user1*)(cn=*user2*)(cn=*user3*))(!(objectClass=computer)))" 

    |ldapfetch dn=memberOf attrs="cn,description"
    |table sAMAccountName,cn,description
    |rename sAMAccountName as nom
      | sort + nom

so the automated version should be

| ldapsearch search="(&(objectClass=user)([ |inputlookup Domaine_LOL | search memberOf=*team_1* | table sAMAccountName | format "|" "(" "(" ")" " " ")"])(!(objectClass=computer)))" 

    |ldapfetch dn=memberOf attrs="cn,description"
    |table sAMAccountName,cn,description
    |rename sAMAccountName as nom
      | sort + nom

the problem is i get this error :

Error in 'SearchParser': Missing a search command before '"'. Error at position '131' of search query '|ldapsearch search="(&(objectClass=user)(|[ |inpu...{snipped} {errorcontext = format "|" "(" "(" "}'.

like splunk is waiting a search cmd in order to do an inputlook inside and ldapsearch ..

any way around ?

Thanks.

woodcock · ‎07-25-2016

You need to escape the double-quotes with backslash ( \) like this:

| ldapsearch search="(&(objectClass=user)([ |inputlookup Domaine_LOL | search memberOf=*team_1* | table sAMAccountName | format \"|\" \"(\" \"(\" \")\" \" \" \")\"])(!(objectClass=computer)))"

View solution in original post

woodcock · ‎07-25-2016

You need to escape the double-quotes with backslash ( \) like this:

| ldapsearch search="(&(objectClass=user)([ |inputlookup Domaine_LOL | search memberOf=*team_1* | table sAMAccountName | format \"|\" \"(\" \"(\" \")\" \" \" \")\"])(!(objectClass=computer)))"

johannes_ru · ‎01-20-2023

This solution does not work ( "error_message=invalid filter") because it produces the column value is enclosed with double quotes and therefore the result of the subquery ends up like this (with my example):

| ldapsearch search="(&(objectClass=group)([| rest splunk_server=local /services/admin/SAML-groups | rename title as cn | table cn | uniq| format \"\|\" \"(\" \"(\" \")\" \"\" \"\"]))"

| ldapsearch search="(&(objectClass=group)(| ( cn="app-splunk-a-d" ) ( cn="app-splunk-b-d" ))"

This cannot work as long as one can configure the column enclosings.

Ed_Alias · ‎08-01-2016

Hi, you were right the escape did things better, so request is now interprated but i still get a "bad filter" Error.

i finally found i was wrong on the way i do my request, i found a much easyer way to achieve what i need with ldapfetch !

i ldapsearch the users members of the group i need and then lists their group memberships, ldapfetch then go get cn and description of groups, muuuch better 🙂

| ldapsearch domain="default" search="(&(objectClass=user)(cn=*))" attrs="sAMAccountName,mail,memberOf"
| search memberOf="CN=Team_1,OU=Groupes,OU=...,OU=....,OU=Users,DC=domain,DC=com" 
|mvexpand memberOf |ldapfetch dn=memberOf attrs="cn,description"
| table sAMAccountName mail cn description
| rename sAMAccountName  AS user
| rename cn AS group_name

thanks for your help 🙂

woodcock · ‎08-01-2016

Be sure to click Accept on the answer to close the question.

gcusello · ‎07-25-2016

there is a pipe before the square parentheses .
Bye.
Giuseppe

Ed_Alias · ‎07-25-2016

hi,

thanks i did a bad copy in my post, but it doesnt solve the problem.

(i do reinject this needed pipe with the format cmd inside the subsearch)

Is there any way around Splunk waiting for a cmd in order to do an inputlookup in an ldapsearch?

troubleshooting

Bridging the Gap: Splunk Helps Students Move from Classroom to Career

Preparing your Splunk Environment for OpenSSL3

Unleash Unified Security and Observability with Splunk Cloud Platform