We need to be able to use the results of an external command as inputs into a search query.
Specifically, we want to run a Python script that queries our AD and exclude the members of a group from search results. The Python script is all set but the integration into the query is confusing.
external_cmd = my_script.py
external_type = python
How can we integrate this so that the output is used as a NOT condition? Script and output can be modified too.
Assuming your script results yield one event per excluded user with a user field set to its login, you can do this:
sourcetype=something NOT [HRUserException]
That will take the results of the subsearch, for example these events:
and turn that into this search string:
( ( user="foo" ) OR ( user="bar" ) OR ( user="baz" ) )
The NOT in front of the subsearch will exclude those three users from the search, giving you this main search:
sourcetype=something NOT ( ( user="foo" ) OR ( user="bar" ) OR ( user="baz" ) )
If your external command results don't have a user field yet you may need to rex it out of the results first.