Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Extracting hostname from event and then checking presence of computer account in ActiveDirectory using extracted text

dmcinnis
New Member
‎11-29-2013 06:02 AM

Hi Everyone,

I have a question regarding looking up a extracted/generated field from splunk against active directory at search time.
The objective is as follows
1. Extract hostname from DHCP log
2. Check if hostname is present as a Computer object in AD
3. If not present, return hostname as a result

Do I have to extract all AD computer account objects and then put them in a CSV file to do a lookup against, or is it possible to compare the extracted hostnames against AD directly at search time using something like inline ldapsearch?

Any help would be greatly appreciated, I hope my search fu did not miss an answer to this kind of question already.

Many thanks
David.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

yannK
Splunk Employee
Splunk Employee
‎11-29-2013 09:45 AM

use a subsearch result to populate the search condition from the main search.

<main_search_conditions> [ search <subsearch_on_ldap> | dedup host | table host ]
| <end_of_my_mainsearch_processing>

The subsearch will return something in the format (host=A OR host=B OR host=C ...)
The timerange will be the same for both searches. You can specify manually in the search terms if different ranges are needed.

see http://docs.splunk.com/Documentation/Splunk/6.0/Search/Usesubsearchtocorrelateevents

View solution in original post

0 Karma
Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎11-29-2013 12:36 PM

It certainly is possible to perform a dynamic (scripted) lookup against any external source (such as Active Directory) rather than keeping the file up to date, or using a subsearch.

The subsearch as answered by yannK does solve your problem, provided you use the ldapsearch search command that is provided in the Splunk Support for AD app http://apps.splunk.com/app/1151/# It does have some limitations though.

If you did want a lookup, you would either keep the AD CSV file up-to-date, or you would build a dynamic lookup. Unfortunately the Splunk AD app doesn't include such a program. You can find out how to structure such a lookup program here: http://docs.splunk.com/Documentation/Splunk/6.0/Knowledge/Addfieldsfromexternaldatasources#Set_up_a_...

Reply
Solved! Jump to solution

dmcinnis
New Member
‎12-16-2013 05:08 AM

Many thanks, I messed up when marking answers so you should both get the nod for answering my question

0 Karma
Reply
Solved! Jump to solution
Solution

yannK
Splunk Employee
Splunk Employee
‎11-29-2013 09:45 AM

use a subsearch result to populate the search condition from the main search.

<main_search_conditions> [ search <subsearch_on_ldap> | dedup host | table host ]
| <end_of_my_mainsearch_processing>

The subsearch will return something in the format (host=A OR host=B OR host=C ...)
The timerange will be the same for both searches. You can specify manually in the search terms if different ranges are needed.

see http://docs.splunk.com/Documentation/Splunk/6.0/Search/Usesubsearchtocorrelateevents

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎11-29-2013 08:08 AM

you can use 'ldapfilter' command to query against LDAP in the search.

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

AI is changing how teams investigate incidents, detect threats, automate workflows, and build intelligent ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...