ldapsearch via API

bgagliardi1 · ‎03-08-2018

I'm using a REST API broker platform and it's running Splunk searches. All of my searches I've ran come out the exact same way they do in the Splunk UI, except when I try to run an ldapsearch.

Command being sent:

| ldapsearch search="(&(objectclass=user)(objectcategory=user)
(proxyAddresses=smtp:person@domain.com))"
| search userPrincipalName
| table fieldICareabout | rex mode=sed field=fieldICareAbout "s/(.*\/)//"

I recognize that this command has to be the first command, so how do I send a command like this via API if "search" is appended to every search?

I get the FATAL error

messages: [
{
type: FATAL,
message: Error in 'ldapsearch' command: This command must be the first command of a search.
}

tiagofbmm · ‎03-09-2018

Hi

So to test your error, I just tried to curl something that would throw a FATAL, but it should raise that

1 - curl -u admin:**** -k https://localhost:8094/services/search/jobs -d search="| ldapsearch "

Then get the job id and grab the results

2 - curl -u admin:****-k https://localhost:8094/services/search/jobs/1520586227.6682/results/ --get -d output_mode=csv

<messages>
    <msg type="FATAL">Error in 'ldapsearch' command: command="ldapsearch", A value for "search" is required</msg>
  </messages>

So my point here is what you are passing to the REST endpoint services/search/jobs is probably not well formatted.

Can you try that command the way I did passing it in the command line, so we can debug that option out?

livehybrid · ‎03-08-2018

Can you post the code that you're using to submit the API request? You should be fine if you start the query with | (no space before it).

ldapsearch via API

Splunk Observability Synthetic Monitoring - Resolved Incident on Detector Alerts

Video | Tom’s Smartness Journey Continues

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?