All Apps and Add-ons

Splunk Support for Active Directory: Why is "ldapgroup" and "eval" not working in my search?

Engager

I am new to Splunk and I have a question I think it should have a simple solution but I can't find it.

The below "eval foo" works as I expect. It is listed under the fields list and contains the text and samaccountname as i specified with eval

| ldapsearch limit=10 domain=SPL search="(&(objectclass=user)(!(objectClass=computer)))" | eval foo = "test:" + sAMAccountName

but when I try the same with ldapgroup (see below) eval foo doesn't work. Its not listed under fields list. and if add | table foo to the end of the search I get no results found.

|ldapsearch domain=SPL search="(&(objectclass=group)(cn=Administrators))"|ldapgroup domain=SPL|eval foo = "test:" + member_name

Any suggestions as to what I am doing wrong?

0 Karma
1 Solution

Influencer

You should use "." to concatenate instead of "+" in your eval. Also, make sure that the member_name field still exists after you use the ldapgroup command.

View solution in original post

0 Karma

Influencer

You should use "." to concatenate instead of "+" in your eval. Also, make sure that the member_name field still exists after you use the ldapgroup command.

View solution in original post

0 Karma