All Apps and Add-ons

ldapsearch via API

Path Finder

I'm using a REST API broker platform and it's running Splunk searches. All of my searches I've ran come out the exact same way they do in the Splunk UI, except when I try to run an ldapsearch.

Command being sent:

| ldapsearch search="(&(objectclass=user)(objectcategory=user)
| search userPrincipalName
| table fieldICareabout | rex mode=sed field=fieldICareAbout "s/(.*\/)//"

I recognize that this command has to be the first command, so how do I send a command like this via API if "search" is appended to every search?

I get the FATAL error

messages: [
type: FATAL,
message: Error in 'ldapsearch' command: This command must be the first command of a search.

0 Karma



So to test your error, I just tried to curl something that would throw a FATAL, but it should raise that

1 - curl -u admin:**** -k https://localhost:8094/services/search/jobs -d search="| ldapsearch "

Then get the job id and grab the results

2 - curl -u admin:****-k https://localhost:8094/services/search/jobs/1520586227.6682/results/ --get -d output_mode=csv

    <msg type="FATAL">Error in 'ldapsearch' command: command="ldapsearch", A value for "search" is required</msg>

So my point here is what you are passing to the REST endpoint services/search/jobs is probably not well formatted.

Can you try that command the way I did passing it in the command line, so we can debug that option out?

0 Karma


Can you post the code that you're using to submit the API request? You should be fine if you start the query with | (no space before it).

0 Karma