I'm trying to correlate user/department from AD against some security logs that contain username in "User_Name" . I'm doing some field extractions because that field is in the format domain\username and there isn't a field that I've seen in our AD based on LDAPsearch in that format. The query and the error that I'm getting are below. I haven't been able to find any information on this error.
host=<Host> | eval fld_username=if(substr(User_Name,1,len("Domain"))=="Domain",substr(User_Name,len("Domain\\")+1,len(User_Name)),"false")|ldapfilter domain=default search="(&(objectclass=user) (mailNickname=$fld_username$))"
External search command 'ldapfilter' returned error code 1. Script output = " ERROR "00002120: SvcErr: DSID-031404AF, problem 5012 (DIR_ERROR), data 0 "
Update your APP "Splunk Supporting Add-on for Active Directory"
Check your (eval fld_username=...) string without ldapfilter part
Try this:
| ldapfilter domain="default" search="(&(objectclass=user) (sAMAccountNAme=$fld_username$))"
attrs="sAMAccountNAme,telephoneNumber,displayName,title,department" | streamstats count AS N
|table N, _time, fld_username, displayName,title,department,tel,telephoneNumber
I cleared the error because I was missing the attrs parameter. But the query you'd provided doesn't include some of the information that I'm looking for - particularly department.
This is what the query looks like now.
host=dgmc User_Name="DPCWL\*"| eval fld_username=substr(User_Name,len("DPCWL\\")+1,len(User_Name))|ldapfilter domain=default search="(&(objectclass=user) (mailNickname=$fld_username$)(!(objectClass=computer)))" attrs="mailNickname, department"
@ariswadkar - Is this search query you provided above the answer to your original question or was it intended as a comment/feedback to kalianov's answer? If yes--it is a working solution, please click "Accept" to resolve this question. If no, I can convert to your answer to a comment for better readability. Thanks.
It's intended as a comment- it's not returning anything for department.