Getting Data In

Extracting hostname from event and then checking presence of computer account in ActiveDirectory using extracted text

dmcinnis
New Member

Hi Everyone,

I have a question regarding looking up a extracted/generated field from splunk against active directory at search time.
The objective is as follows
1. Extract hostname from DHCP log
2. Check if hostname is present as a Computer object in AD
3. If not present, return hostname as a result

Do I have to extract all AD computer account objects and then put them in a CSV file to do a lookup against, or is it possible to compare the extracted hostnames against AD directly at search time using something like inline ldapsearch?

Any help would be greatly appreciated, I hope my search fu did not miss an answer to this kind of question already.

Many thanks
David.

0 Karma
1 Solution

yannK
Splunk Employee
Splunk Employee

use a subsearch result to populate the search condition from the main search.

<main_search_conditions> [ search <subsearch_on_ldap> | dedup host | table host ]
| <end_of_my_mainsearch_processing>

The subsearch will return something in the format (host=A OR host=B OR host=C ...)
The timerange will be the same for both searches. You can specify manually in the search terms if different ranges are needed.

see http://docs.splunk.com/Documentation/Splunk/6.0/Search/Usesubsearchtocorrelateevents

View solution in original post

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

It certainly is possible to perform a dynamic (scripted) lookup against any external source (such as Active Directory) rather than keeping the file up to date, or using a subsearch.

The subsearch as answered by yannK does solve your problem, provided you use the ldapsearch search command that is provided in the Splunk Support for AD app http://apps.splunk.com/app/1151/# It does have some limitations though.

If you did want a lookup, you would either keep the AD CSV file up-to-date, or you would build a dynamic lookup. Unfortunately the Splunk AD app doesn't include such a program. You can find out how to structure such a lookup program here: http://docs.splunk.com/Documentation/Splunk/6.0/Knowledge/Addfieldsfromexternaldatasources#Set_up_a_...

dmcinnis
New Member

Many thanks, I messed up when marking answers so you should both get the nod for answering my question

0 Karma

yannK
Splunk Employee
Splunk Employee

use a subsearch result to populate the search condition from the main search.

<main_search_conditions> [ search <subsearch_on_ldap> | dedup host | table host ]
| <end_of_my_mainsearch_processing>

The subsearch will return something in the format (host=A OR host=B OR host=C ...)
The timerange will be the same for both searches. You can specify manually in the search terms if different ranges are needed.

see http://docs.splunk.com/Documentation/Splunk/6.0/Search/Usesubsearchtocorrelateevents

0 Karma

somesoni2
Revered Legend

you can use 'ldapfilter' command to query against LDAP in the search.

Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...