ldapsearch via API

bgagliardi1 · ‎03-08-2018

I'm using a REST API broker platform and it's running Splunk searches. All of my searches I've ran come out the exact same way they do in the Splunk UI, except when I try to run an ldapsearch.

Command being sent:

| ldapsearch search="(&(objectclass=user)(objectcategory=user)
(proxyAddresses=smtp:person@domain.com))"
| search userPrincipalName
| table fieldICareabout | rex mode=sed field=fieldICareAbout "s/(.*\/)//"

I recognize that this command has to be the first command, so how do I send a command like this via API if "search" is appended to every search?

I get the FATAL error

messages: [
{
type: FATAL,
message: Error in 'ldapsearch' command: This command must be the first command of a search.
}

tiagofbmm · ‎03-09-2018

Hi

So to test your error, I just tried to curl something that would throw a FATAL, but it should raise that

1 - curl -u admin:**** -k https://localhost:8094/services/search/jobs -d search="| ldapsearch "

Then get the job id and grab the results

2 - curl -u admin:****-k https://localhost:8094/services/search/jobs/1520586227.6682/results/ --get -d output_mode=csv

<messages>
    <msg type="FATAL">Error in 'ldapsearch' command: command="ldapsearch", A value for "search" is required</msg>
  </messages>

So my point here is what you are passing to the REST endpoint services/search/jobs is probably not well formatted.

Can you try that command the way I did passing it in the command line, so we can debug that option out?

livehybrid · ‎03-08-2018

Can you post the code that you're using to submit the API request? You should be fine if you start the query with | (no space before it).

ldapsearch via API

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!