You can use ldapfilter for that, for example:
your base search here | ldapfilter search="(&(objectclass=user)(!(objectClass=computer))(samAccountName=$samAccountName$))" attrs="sAMAccountName, personalTitle, displayName, givenName, sn, mail, telephoneNumber, mobile, manager, department, whenCreated, userAccountControl"
The above assumes there's a field named samAccountName with the usernames you are planning to search for. In a similar way you can include any variable like this: $FIELDNAME$.
You can add as many attributes as you want but do not use * as it'll take forever. Better to be specific on what you want.
Note that if you don't have a default domain you are going to have to specify it with "domain=YOURDOMAIN"
Hope that helps.
Thanks for the Answer!
when i use ldapfilter command, i'm getting error "External search command 'ldapfilter' returned error code 1. Script output = " ERROR socket connection error: [Errno 111] Connection refused " ", when i use ldapsearch command in other search its working. Can you let me known if you had an idea of this issue?
I haven't seen that issue before.
Splunk Supporting Add-on for Active Directory - 2.1.2 and Splunk Enterprise version - 6.4.2
I tried to simply the search, its same thing.
I'm trying to create a alert when a user is enabled,
Search i'm using:
eventtype=wineventlog_security EventCode=4722 user!=*$|eval time=strftime(_time, "%Y-%d-%m %H:%M") | ldapfilter search="(&(objectclass=user)(!(objectClass=computer))(samAccountName=$user$))" attrs="sAMAccountName, displayName,sn,mail,manager"
When i use ldap filter, output produces no results.
Hi, your search works fine for me.
Have you tried debugging this by listing a few users first with:
eventtype=wineventlog_security EventCode=4722 user!=*$ | head 10 | table user
And then using ldapsearch in a new search instead of ldapfilter to ensure your ldap queries are working fine?
| ldapsearch search="(&(objectclass=user)(!(objectClass=computer))(samAccountName=manuallySpecifyAUserFromYourList))" attrs="sAMAccountName, displayName,sn,mail,manager"
Have you also try to search directly in your index and sourcetype instead of using eventtype?
Yes, I tried
|ldapsearch with user details and it's working and with index name it's working.
but when I use ldapfilter, it's showing error.
External search command 'ldapfilter' returned error code 1. Script output = " ERROR socket connection error: [Errno 111] Connection refused "
Hmm. Not sure.
If I were you I would try to upgrade from 2.1.2 to 2.1.3 and see if that helps.
The error you are listing is almost always Python related and Splunk 6.4 comes with a lot of changes in the Python world so maybe you need to run the latest app to be 100% is compatible with 6.4.