All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Is there any way around Splunk waiting for a cmd in order to do an inputlookup in an ldapsearch?

Ed_Alias
Path Finder
‎07-25-2016 02:04 AM

Hi, i want to list members of a group and then list their groups in active directory,

for that i have a lookup with all users, i request and format my list so it is nice for the ldap search :

|inputlookup Domaine_LOL | search memberOf=*team_1* | table sAMAccountName | format "|" "(" "(" ")" " " ")"

then i make my ldapsearch, the "static" version is as follow :

| ldapsearch search="(&(objectClass=user)(|(cn=*user1*)(cn=*user2*)(cn=*user3*))(!(objectClass=computer)))" 

    |ldapfetch dn=memberOf attrs="cn,description"
    |table sAMAccountName,cn,description
    |rename sAMAccountName as nom
      | sort + nom

so the automated version should be

| ldapsearch search="(&(objectClass=user)([ |inputlookup Domaine_LOL | search memberOf=*team_1* | table sAMAccountName | format "|" "(" "(" ")" " " ")"])(!(objectClass=computer)))" 

    |ldapfetch dn=memberOf attrs="cn,description"
    |table sAMAccountName,cn,description
    |rename sAMAccountName as nom
      | sort + nom

the problem is i get this error :

Error in 'SearchParser': Missing a search command before '"'. Error at position '131' of search query '|ldapsearch search="(&(objectClass=user)(|[ |inpu...{snipped} {errorcontext = format "|" "(" "(" "}'.

like splunk is waiting a search cmd in order to do an inputlook inside and ldapsearch ..

any way around ?

Thanks.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎07-25-2016 12:35 PM

You need to escape the double-quotes with backslash ( \) like this:

| ldapsearch search="(&(objectClass=user)([ |inputlookup Domaine_LOL | search memberOf=*team_1* | table sAMAccountName | format \"|\" \"(\" \"(\" \")\" \" \" \")\"])(!(objectClass=computer)))"

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎07-25-2016 12:35 PM

You need to escape the double-quotes with backslash ( \) like this:

| ldapsearch search="(&(objectClass=user)([ |inputlookup Domaine_LOL | search memberOf=*team_1* | table sAMAccountName | format \"|\" \"(\" \"(\" \")\" \" \" \")\"])(!(objectClass=computer)))"
0 Karma
Reply
Solved! Jump to solution

johannes_ru
New Member
‎01-20-2023 04:53 AM

This solution does not work (  "error_message=invalid filter") because it produces the column value is enclosed with double quotes and therefore the result of the subquery ends up like this (with my example):

| ldapsearch search="(&(objectClass=group)([| rest splunk_server=local /services/admin/SAML-groups | rename title as cn | table cn | uniq| format \"\|\" \"(\" \"(\" \")\" \"\" \"\"]))"
| ldapsearch search="(&(objectClass=group)(| ( cn="app-splunk-a-d" ) ( cn="app-splunk-b-d" ))"

 

This cannot work as long as one can configure the column enclosings.

0 Karma
Reply
Solved! Jump to solution

Ed_Alias
Path Finder
‎08-01-2016 02:28 AM

Hi, you were right the escape did things better, so request is now interprated but i still get a "bad filter" Error.

i finally found i was wrong on the way i do my request, i found a much easyer way to achieve what i need with ldapfetch !

i ldapsearch the users members of the group i need and then lists their group memberships, ldapfetch then go get cn and description of groups, muuuch better 🙂 

| ldapsearch domain="default" search="(&(objectClass=user)(cn=*))" attrs="sAMAccountName,mail,memberOf"
| search memberOf="CN=Team_1,OU=Groupes,OU=...,OU=....,OU=Users,DC=domain,DC=com" 
|mvexpand memberOf |ldapfetch dn=memberOf attrs="cn,description"
| table sAMAccountName mail cn description
| rename sAMAccountName  AS user
| rename cn AS group_name

thanks for your help 🙂

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎08-01-2016 06:52 AM

Be sure to click Accept on the answer to close the question.

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎07-25-2016 02:33 AM

there is a pipe before the square parentheses .
Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

Ed_Alias
Path Finder
‎07-25-2016 02:36 AM

hi,

thanks i did a bad copy in my post, but it doesnt solve the problem.

(i do reinject this needed pipe with the format cmd inside the subsearch)

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...