Solved: ldapfilter: unable use fields returned by ldapfilt...

abpe · ‎07-08-2013

I am doing the following search on Splunk 4.3.6 search head:

sourcetype="WinEventLog:Security" EventCode=5136 Class=groupPolicyContainer | eval DN=replace(DN,"}","},") | ldapfilter domain=$Account_Domain$ search="(distinguishedName=$DN$)" attrs=displayName

The idea is to get the display name of the modified GPO. The search produces the expected results. However, when I try to pipe the result to a table like this:

| table Account_Name,displayName

the displayName column is empty.
What am I doing wrong?
Thanks.

abpe · ‎07-10-2013

Well I figured out the problem. In my case it is returning the displayName as a multivalue field, the first value being empty and the second value containing what I expect. I added the following to my search:

...|eval displayName=mvindex(displayName,-1)|...

I don't know though why ldapfilter returns a multivalue field.

View solution in original post

abpe · ‎07-10-2013

Well I figured out the problem. In my case it is returning the displayName as a multivalue field, the first value being empty and the second value containing what I expect. I added the following to my search:

...|eval displayName=mvindex(displayName,-1)|...

I don't know though why ldapfilter returns a multivalue field.

howyagoin · ‎08-13-2013

This does seem to work, but isn't really a great solution; when I create a table based on the mvindex'd field name, I am seeing loads of results with empty values, and attempting to remove them with a "| search NOT displayName=""" doesn't work...

ldapfilter: unable use fields returned by ldapfilter in subsequent operations

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor