All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

using ldapsearch, ldapfetch to augment searchresults

dominiquevocat
SplunkTrust
SplunkTrust
‎12-13-2012 06:19 AM

I would like to fetch attributes from our metadirectory for any number of reasons

with the splunk support app ldap commands it is basically possible to query ldap and it sort of works

so doing
mysearch |ldapfilter domain=meta-intg search="(&(objectClass=inetOrgPerson)(cn=$CN$))" attrs="description,fullname,dn"

gives a table view with the attribute values as fields but i don't see the fields in the fields explorer sidebar and i can't use the fields in any subsequent command like table etc or augment them to the log entries.

What am i doing wrong?

ps: there is a small issue hence the filter else i get results but also a "size limit exceeded" resulting in zero results.

0 Karma
Reply

howyagoin
Contributor
‎08-13-2013 05:42 PM

I'm having the same problem, and the workaround described at:

http://answers.splunk.com/answers/94160/ldapfilter-unable-use-fields-returned-by-ldapfilter-in-subse...

Does seem to work, but it creates ugly/inconsistent results. I don't see where the fields are multi-value, and doing an export to JSON/CSV/XML confirms this, but without doing this series of eval statements, I can't get data in a table either.

0 Karma
Reply

mrflibbleuk
New Member
‎01-23-2013 07:36 PM

Hi,

I am having the same issue as outlined in the original question. Was the solution to this ever identified?

0 Karma
Reply

dominiquevocat
SplunkTrust
SplunkTrust
‎02-05-2013 12:36 AM

This might very well be the thing... 😞

0 Karma
Reply

ahall_splunk
Splunk Employee
Splunk Employee
‎01-24-2013 07:10 AM

The field names are not the same as you type - they are the "official" names - remember that field names are case sensitive. For example, dn is actually called "distinguishedName" - dn is just an alias.

Reply

ahall_splunk
Splunk Employee
Splunk Employee
‎12-17-2012 07:04 AM

You are using it in the right way, so something else must be going on. On my 5.0.1 system, this results in the fields appearing in the side-bar. We also use table, etc. several times in the Splunk App for Active Directory, so that would break if this didn't work.

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...