Reporting

Populate Email Address for users

Contributor

Hi,
I am using Splunk 6.1.2 and email mail addresses can't be automatically pulled from AD. Is there a way to manually insert user's email address?

Thanks in advance!

Tags (3)
0 Karma

SplunkTrust
SplunkTrust

If the information is not flowing from AD directly, may be monitoring AD (See here) will help you get the information to Splunk. Once its in Splunk, you can join/correlate using search query OR can setup a auto-update lookup table with that information.

0 Karma

Contributor

I can confirm user's email address is available in AD directory. However, when I examine the user's attributes under Manager>>Access controls>>Users>>juser, Email address is blank (and uneditable). The user is also unable to edit their own email preferences.

Basically, I am seeking a way to manually insert user's email address in some config file under $Splunk_Home/ directory.

0 Karma

SplunkTrust
SplunkTrust

Ok, I was going through the documentation for version 6.2.1 and found one related thing. In authentication.conf, there is an attribute called "emailAttribute"
emailAttribute =
* OPTIONAL
* This is the user entry attribute whose value is their email address.
* Defaults to 'mail'

IMO, this should be attribute set correctly to a value based on your AD setting (it may be possible that email addresses are stored in some other user attribute for your AD than 'mail').

I didn't see this property in previous versions and I have checked couple of my instances using Splunk 5 as well as Splunk 6.0/6.1.2 and all don't show email address from AD.

Would be interesting to see if there is any workaround available for previous version.

0 Karma

Contributor

Thank you for pinpointing the information. I will need to first find out the key of the entry attribute -- emailAttribute in our firm's AD directory.

0 Karma

SplunkTrust
SplunkTrust

Following along here:

Create the lookup file as CSV.
Create the local-to-your-server folder and put the file there.
Add a stanza to transforms.conf (local or in app, not "default" ).
Optionally, you can make the lookup "automatic" which will make the matched/lookup fields "just show up" in searches instead of requiring you to run a 'lookup' specifically.
Restart.

There is a great example at the bottom of the docs I linked to.

0 Karma

Contributor

I read the online doc -- Configure CSV and external lookups
However, I still don't find how the csv file will map e.g. user ID rich with the email address.

Assuming the user, rich, runs an interactive search from GUI and sends the job to background. How will he receives an email to richm@myemailaddress.com when the job is completed?

0 Karma

SplunkTrust
SplunkTrust

OH!!!! Sorry, I think I totally misunderstood the problem!

That's a bit of a different beast and one I don't know the answer to.

0 Karma

Contributor

No problem. Thanks for the prompt response in any case!

0 Karma

Contributor

My apology but I can't find the link of the great example at the bottom of the docs. Can you please post again?

Your help is greatly appreciated!

0 Karma

Contributor
0 Karma

SplunkTrust
SplunkTrust

Note you'll want your csv to be at least two columns: the name to look up and the email you want returned. Like..

account, email
rich, richm@myemailaddress.com
bill, billg@microsoft.com
linus, linus@torvalds.net

0 Karma

SplunkTrust
SplunkTrust

There are a couple of methods that could be used, depending on exactly what is meant by "email addresses can't be automatically pulled from AD".

I'd be interested to know if you have installed the splunk support for active directory app here to see what it can do for you? Once installed and configured as necessary, you should be able to do things like |ldapsearch domain=SPL search="(objectClass=user)" (which I pulled straight from their docs).

You could also create a lookup that reads from a file. Populate the CSV either manually or perhaps via powershell. (Search the web for "powershell export email addresses"). This could be scheduled (e.g. with Windows Task scheduler) once per day or something.

0 Karma

Contributor

Hi,
I configured LDAP authentication, pointing to our AD domain controller. The users get mapped to roles successfully, but I examine the user's attributes under Manager>>Access controls>>Users>>juser, Email address is blank (and uneditable). The user is also unable to edit their own email preferences.

I didn't install the app -- Splunk Support for Active Directory. The main reason is because I don't have access to the LDAP window server in my firm.

I am wondering if it's possible to manually insert user's email address in some config file under $Splunk_Home/ directory.

Thank you!

0 Karma