All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

trying LDAPFilter to correlate logs - getting error

ariswadkar
New Member
‎12-30-2016 03:29 PM

I'm trying to correlate user/department from AD against some security logs that contain username in "User_Name" . I'm doing some field extractions because that field is in the format domain\username and there isn't a field that I've seen in our AD based on LDAPsearch in that format. The query and the error that I'm getting are below. I haven't been able to find any information on this error. 

host=<Host> | eval fld_username=if(substr(User_Name,1,len("Domain"))=="Domain",substr(User_Name,len("Domain\\")+1,len(User_Name)),"false")|ldapfilter domain=default search="(&(objectclass=user) (mailNickname=$fld_username$))"

External search command 'ldapfilter' returned error code 1. Script output = " ERROR "00002120: SvcErr: DSID-031404AF, problem 5012 (DIR_ERROR), data 0 "

0 Karma
Reply

kalianov
Path Finder
‎01-11-2017 06:32 AM

  1. Update your APP "Splunk Supporting Add-on for Active Directory"

  2. Check your (eval fld_username=...) string without ldapfilter part

  3. Try this:
    | ldapfilter domain="default" search="(&(objectclass=user) (sAMAccountNAme=$fld_username$))"
    attrs="sAMAccountNAme,telephoneNumber,displayName,title,department" | streamstats count AS N
    |table N, _time, fld_username, displayName,title,department,tel,telephoneNumber

0 Karma
Reply

ariswadkar
New Member
‎01-11-2017 10:22 AM

I cleared the error because I was missing the attrs parameter. But the query you'd provided doesn't include some of the information that I'm looking for - particularly department.

This is what the query looks like now. 

host=dgmc User_Name="DPCWL\*"| eval fld_username=substr(User_Name,len("DPCWL\\")+1,len(User_Name))|ldapfilter domain=default search="(&(objectclass=user) (mailNickname=$fld_username$)(!(objectClass=computer)))" attrs="mailNickname, department"
0 Karma
Reply

aaraneta_splunk
Splunk Employee
Splunk Employee
‎01-11-2017 10:40 AM

@ariswadkar - Is this search query you provided above the answer to your original question or was it intended as a comment/feedback to kalianov's answer? If yes--it is a working solution, please click "Accept" to resolve this question. If no, I can convert to your answer to a comment for better readability. Thanks.

0 Karma
Reply

ariswadkar
New Member
‎01-11-2017 11:23 AM

It's intended as a comment- it's not returning anything for department.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...