Deployment Architecture

LDAP all Hosts and are they Connected?



I need a query that gives me the following:

All servers in my domain that have not connected to Splunk. 

with someting like this: 
where domain="*" AND Type="*" AND dNSHostName="SEWI*" | rex field=distinguishedName "CN=(?<hostname>[^\,]+).+"

Hope u can help me. 

Thank you in advice,

Labels (1)
Tags (2)
0 Karma

Path Finder

Surprisingly when we had professional services out initially, this was a long and convoluted search.

Ours essentially works like this:

 A scheduled search writes all ldap assets to a lookup table. Something like this:


| localop | ldapsearch domain="default" search="(objectClass=computer)" attrs="sAMAccountName, distinguishedName, dNSHostName, managedBy"

| rex max_match=5 field=distinguishedName "OU=(?<dn_parsed>[^,]+)" 
| eval category=lower(replace(mvjoin(dn_parsed, "|"), " ", "_"))
| eval priority=case(
   match(category, "domain_controller|exchange|citrix"), "critical", 
   match(category, "server|disabled"), "high", 
   match(category, "workstation|desktop|mobile|laptop"), "medium", 
   match(category, "staging|test"), "low", 
   1==1, "unknown"

| eval is_expected=if(priority=="high" OR priority=="critical", "true", "false")
| eval nt_host=replace(sAMAccountName, "\$", "")
| rename dNSHostName AS dns managedBy AS owner

| eval val2lookup = coalesce(dns, nt_host)
| lookup dnslookup clienthost as val2lookup output clientip as ip

| fillnull value="unknown" category, priority, bunit
| table ip,mac,nt_host,dns,owner,priority,lat,long,city,country,bunit,category,pci_domain,is_expected,should_timesync,should_update,requires_av

| dedup nt_host
| outputlookup ldap_assets



Another search then looks for all hosts in splunk and compares it to the lookup table above. 


| tstats count  where index=* OR index=_* NOT host= by host index | eval host=lower(host)
| eval host=lower(case(match(host,"\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}"),host,match(host,"mydomain\.com$"),host,1==1,host.""))
| append [ | inputlookup ldap_assets | makemv delim="|" category | search category=servers | mvexpand category | eval dns=lower(case(dns=="localhost.localdomain",nt_host."",1==1,dns))
| lookup dnslookup clientip as ip outputnew clienthost as dns
| stats count by dns
| fields - count
| rename dns as host]
| eval in_host_list=if(isnull(count),true(),null()),in_splunk=if(isnotnull(count),true(),null())
| append [|inputlookup manual_host_list.csv | fields host | eval in_host_list="True"]
| stats values(*) as * by host
| where isnull(in_host_list) OR isnull(in_splunk)
| search in_host_list=true
| eval splunk_data="No Data"
| table host splunk_data



To me this is a pretty nasty solution to something that should be relatively simple.  I've honestly never spent the time to try and fully understand these searches.  They work for us, and they're a mess so i'll leave it be.


0 Karma



Many thanks for the answer,

Unfortunately, the querys doesn't work for me:

Error in 'outputlookup' command: The lookup table 'ldap_assets' is invalid

Is it a Versionproblem? We use Splunk v. 7.3.1 

Kind regars,

0 Karma


need to see if the Service is not running or the agent isnt even installed on Servers. 

0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...