Security

Why is the dashboard using input field will not show a table ldapsearch?

vincenp2
New Member

I have a dashboard which carries out an ldapsearch when CN is input using an input field
currently it returns all details, but I would like it to return a table if possible showing just cn and mail

current search generated in dashboard is:

| ldapsearch search="(objectclass=user)" | search $cn_field$

if I add | table cn mail to the end of this search it seems to be ignored

If I run this as a normal search, and use a specific CN instead of $cn_field$ I can get it to work and report as a table
e.g.

| ldapsearch search="(objectclass=user)" | search xyz123 | table cn mail

this results in a table showing the CN of xyz123, and the associated email address

Can anyone advise as to how I can get a table to be produced using an input field please?

0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi vincenp2,
I created a dashboard like the one you want searching for name, status and expiring year, my search was

| ldapsearchsearch="(&(objectClass=user)(!(objectClass=computer)))"attrs="displayName,givenName,sn,distinguishedName,objectCategory,sAMAccountName,sAMAccountType,description,accountExpires,userAccountControl"
| search $text$ $status$ accountExpires="$year$*" 

if you want to search only about name try

| ldapsearchsearch="(&(objectClass=user)(!(objectClass=computer)))"attrs="displayName,givenName,sn,distinguishedName,objectCategory,sAMAccountName,sAMAccountType,description,accountExpires,userAccountControl"
| search $text$ 

Bye.
Giuseppe

View solution in original post

0 Karma

vincenp2
New Member

hi Giuseppe, many thanks for getting back to me so quickly - I would have liked to have been able to create a table if possible, however what you have provided allows me to do what I need and just present certain elements of the output

Thanks again, it is much appreciated 🙂

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi vincenp2,
I created a dashboard like the one you want searching for name, status and expiring year, my search was

| ldapsearchsearch="(&(objectClass=user)(!(objectClass=computer)))"attrs="displayName,givenName,sn,distinguishedName,objectCategory,sAMAccountName,sAMAccountType,description,accountExpires,userAccountControl"
| search $text$ $status$ accountExpires="$year$*" 

if you want to search only about name try

| ldapsearchsearch="(&(objectClass=user)(!(objectClass=computer)))"attrs="displayName,givenName,sn,distinguishedName,objectCategory,sAMAccountName,sAMAccountType,description,accountExpires,userAccountControl"
| search $text$ 

Bye.
Giuseppe

View solution in original post

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!