All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Ldapsearch not able to get member;range0-1499 in Splunk query.

raghu_vedic
Path Finder
‎04-07-2018 09:19 AM

Hi,

Please find the query 

| ldapsearch search="(&(objectCategory=group))"    attrs="member;range0-1499" | table member;range0-1499.

Note: I am not getting empty in member attribute

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

acharlieh
Influencer
‎04-08-2018 07:28 PM

Doing some tests myself, it seems that SA-ldapsearch doesn't properly handle attribute range retrieval with active directory. As @richgalloway suggests you should file a bug report for it.

On the plus side, given that range=0-1499 is the first retrieval set, and that ldapsearch generates a JSON event, and it seems to actually retrieve the range attribute... you can use spath to extract the ranged field, and grab it:

| ldapsearch search="(cn=ReallyBigGroup)" attrs="member" | spath | table "member;range=0-1499{}"

Obviously it doesn't work for any other ranges:

| ldapsearch search="(cn=ReallyBigGroup)" attrs="member;range=1500-*" | spath

Yields: 

External search command 'ldapsearch' returned error code 1. Script output = "error_message=Invalid attribute types in attrs list: member;range=1500-* "

(which now i'm looking through the python script to figure out why it can't parse the attribute range)

EDIT: it doesn't help that it seems that the packaged version of the ldap3 library that's packaged is really old... version 0.9.5.3 which isn't a tagged version in github... 0.9.5.2 was released 4 years ago.

The first error seems to come from SA-ldapsearch/bin/packages/app/init.py:437
but then if you edit the code to bypass that you run smack into an error from: SA-ldapsearch/bin/packages/ldap3/operation/search.py:315

This is of course looking at SA-ldapsearch v2.1.6

View solution in original post

Reply
Solved! Jump to solution
Solution

acharlieh
Influencer
‎04-08-2018 07:28 PM

Doing some tests myself, it seems that SA-ldapsearch doesn't properly handle attribute range retrieval with active directory. As @richgalloway suggests you should file a bug report for it.

On the plus side, given that range=0-1499 is the first retrieval set, and that ldapsearch generates a JSON event, and it seems to actually retrieve the range attribute... you can use spath to extract the ranged field, and grab it:

| ldapsearch search="(cn=ReallyBigGroup)" attrs="member" | spath | table "member;range=0-1499{}"

Obviously it doesn't work for any other ranges:

| ldapsearch search="(cn=ReallyBigGroup)" attrs="member;range=1500-*" | spath

Yields: 

External search command 'ldapsearch' returned error code 1. Script output = "error_message=Invalid attribute types in attrs list: member;range=1500-* "

(which now i'm looking through the python script to figure out why it can't parse the attribute range)

EDIT: it doesn't help that it seems that the packaged version of the ldap3 library that's packaged is really old... version 0.9.5.3 which isn't a tagged version in github... 0.9.5.2 was released 4 years ago.

The first error seems to come from SA-ldapsearch/bin/packages/app/init.py:437
but then if you edit the code to bypass that you run smack into an error from: SA-ldapsearch/bin/packages/ldap3/operation/search.py:315

This is of course looking at SA-ldapsearch v2.1.6

Reply
Solved! Jump to solution

logloganathan
Motivator
‎04-08-2018 10:01 AM

Could you please use this query

| ldapsearch search="(&(objectCategory=group))" limit=1500 attrs="member" | table member

Also Please let us know if you looking for attrs=member0 attrs=member1............attrs=member1499 as range value

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎04-07-2018 10:05 AM

"member;range0-1499" is not a typical Splunk field name (semicolons and hyphens are not permitted). Verify the name using the query | ldapsearch search="(&(objectCategory=group))" attrs="member;range0-1499" | table *.
Also, check the log file (SA-ldapsearch.log) to see if any errors were reported.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

raghu_vedic
Path Finder
‎04-08-2018 05:17 AM

Hi , Thanks for your reply..

It sending error as
Invalid attribute.

But I can see member;range0-1499 in events.

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎04-08-2018 05:36 AM

I suspect the app can handle the member attribute, but doesn't like the range qualifier. You should probably contact Splunk support for assistance or to file a bug report.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI! Discover how Splunk’s agentic AI ...

[Puzzles] Solve, Learn, Repeat: Dereferencing XML to Fixed-length events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...