Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can I get my search of Ironport logs to look up the username in Active Directory?

AlexD
Explorer
‎03-08-2012 07:52 PM

I've got a search of our Ironport web access logs that produces a list of cs_usernames (as well as other details), and with a small regex, these usernames match values in the sAMAccountName field in Active Directory records (which we're also indexing). What I'd like to do is replace the Ironport cs_username fields in my results with the AD field displayName from a search that matches the cs_username to sAMAccountName.

Any help would be greatly appreciated!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Ayn
Legend
‎03-08-2012 10:50 PM

Yes! Use lookups (http://docs.splunk.com/Documentation/Splunk/latest/User/CreateAndConfigureFieldLookups ).

One way would be to create a dynamic lookup script that will query Active Directory in realtime when the search results are loaded. This could be slow and resource consuming regarding on how many lookups have to be performed when you issue the search. YMMV.

Another way would be to extract the AD users into a csv file and have Splunk use that as a static lookup. This won't have the potential problems outlined in the previous solution, but you would obviously need to keep this csv file updated so that it actually contains all the current AD users.

View solution in original post

Reply
Solved! Jump to solution
Solution

Ayn
Legend
‎03-08-2012 10:50 PM

Yes! Use lookups (http://docs.splunk.com/Documentation/Splunk/latest/User/CreateAndConfigureFieldLookups ).

One way would be to create a dynamic lookup script that will query Active Directory in realtime when the search results are loaded. This could be slow and resource consuming regarding on how many lookups have to be performed when you issue the search. YMMV.

Another way would be to extract the AD users into a csv file and have Splunk use that as a static lookup. This won't have the potential problems outlined in the previous solution, but you would obviously need to keep this csv file updated so that it actually contains all the current AD users.

Reply
Solved! Jump to solution

AlexD
Explorer
‎03-18-2012 02:32 PM

Thanks, that's just what I needed.

I tested the static lookup with some sample AD data on a simple query and it worked well, so I'll try a full export and run it on a larger search and if all goes well I'll just update the CSV as needed.

The dynamic lookup is a desired solution, but I'll have to find some time to look into this, as I know nothing about python scripting.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Cloud | Empowering Splunk Administrators with Admin Config Service (ACS)

Greetings, Splunk Cloud Admins and Splunk enthusiasts! The Admin Configuration Service (ACS) team is excited ...

Tech Talk | One Log to Rule Them All

One log to rule them all: how you can centralize your troubleshooting with Splunk logs We know how important ...

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Join Principal Threat Researcher, Michael Haag, as he walks through: An introduction to the Splunk Threat ...