Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Run external Linux command from within search.

westar
Engager
‎06-23-2010 01:21 PM

I need to run a shell script or Linux command inside my search to obtain external Ldap information. I have a UserID that I would like to associate to a full name using a Ldapsearch command passing the UserID from the search.

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

the_wolverine
Champion
‎06-24-2010 01:50 PM

It can be done:

  • Write a script that queries LDAP for all the required attributes and convert the resultset to a csv file.

  • Configure a lookup for your source or sourcetype to query the csv file to match the userid to CN.

View solution in original post

Reply
Solved! Jump to solution
Solution

the_wolverine
Champion
‎06-24-2010 01:50 PM

It can be done:

  • Write a script that queries LDAP for all the required attributes and convert the resultset to a csv file.

  • Configure a lookup for your source or sourcetype to query the csv file to match the userid to CN.

Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎06-24-2010 06:43 AM

You can either use a lookup script (follow Lowell's links) or create a custom search command. I would recommend the lookup script, and it sounds like it fits your use case best. An similar alternative that can perform better if you don't require live lookups is to periodically export the data en masse from the LDAP server, write it into a CSV file format into the appropriate location on the Splunk search server, and use a Splunk file lookup against this file.

Reply
Solved! Jump to solution

Lowell
Super Champion
‎06-23-2010 01:57 PM

Sounds like you want to use an external lookup script. These have to be written in python, but you can use a simply python script to call the necessary ldap commands (via command line, or via python ldap modules). From there it's a simple matter of writing out a CSV file that contains your new output fields.

Helpful resources:

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Casting Call: Compete in Cyber Games

Lights, Camera, SecOps: Apply to Compete in Cyber Games     Think you have what it takes to beat the clock? ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

How Edge Processor's Durable Queue Works

Edge Processor sits in one of the most consequential places in any Splunk pipeline: between your data sources ...