All Apps and Add-ons

ldapfilter: unable use fields returned by ldapfilter in subsequent operations

abpe
Path Finder

I am doing the following search on Splunk 4.3.6 search head:

sourcetype="WinEventLog:Security" EventCode=5136 Class=groupPolicyContainer | eval DN=replace(DN,"}","},") | ldapfilter domain=$Account_Domain$ search="(distinguishedName=$DN$)" attrs=displayName

The idea is to get the display name of the modified GPO. The search produces the expected results. However, when I try to pipe the result to a table like this:

| table Account_Name,displayName 

the displayName column is empty.
What am I doing wrong?
Thanks.

Tags (1)
0 Karma
1 Solution

abpe
Path Finder

Well I figured out the problem. In my case it is returning the displayName as a multivalue field, the first value being empty and the second value containing what I expect. I added the following to my search:

...|eval displayName=mvindex(displayName,-1)|...

I don't know though why ldapfilter returns a multivalue field.

View solution in original post

0 Karma

abpe
Path Finder

Well I figured out the problem. In my case it is returning the displayName as a multivalue field, the first value being empty and the second value containing what I expect. I added the following to my search:

...|eval displayName=mvindex(displayName,-1)|...

I don't know though why ldapfilter returns a multivalue field.

0 Karma

howyagoin
Contributor

This does seem to work, but isn't really a great solution; when I create a table based on the mvindex'd field name, I am seeing loads of results with empty values, and attempting to remove them with a "| search NOT displayName=""" doesn't work...

0 Karma
*NEW* Splunk Love Promo!
Snag a $25 Visa Gift Card for Giving Your Review!

It's another Splunk Love Special! For a limited time, you can review one of our select Splunk products through Gartner Peer Insights and receive a $25 Visa gift card!

Review:





Or Learn More in Our Blog >>