Hi

I'm trying to create a Identity Lookup for Splunk Enterprise Security. I have a users from Group and OU's which has to be critical, I'm using the below search, OU case is working but no the group one, is there anything I'm missing?

| ldapsearch domain="XXXXX" search="(&(objectClass=user)(!(objectClass=computer)))" attrs="sAMAccountName,displayName,givenName,sn,mail,telephoneNumber,manager,department,whenCreated,accountExpires, userAccountControl, distinguishedName,userPrincipalName,employeeID"
|search userAccountControl="NORMAL_ACCOUNT"
|eval suffix=""
| eval priority=case(       like(distinguishedName,"%OU=AdminAccounts,DC=XXXXXXX,DC=com"), "critical",
                            like(distinguishedName,"%OU=DomainAdmins,OU=AdminAccounts,DC=XXXXXX,DC=com"), "critical", 
                            like(sAMAccountName,"%CN=Enterprise Admins ,CN=Users,DC=XXXXXX,DC=com"), "critical",

                            1==1,"medium" )

 | eval category=case(      like(distinguishedName,"%OU=DomainAdmins,OU=AdminAccounts,DC=XXXXXX,DC=com"), "Domain Admins" ,
                            like(distinguishedName,"%OU=AdminAccounts,DC=XXXXXX,DC=com"), "Admin Accounts",
                            like(sAMAccountName,"%CN=Enterprise Admins ,CN=Users,DC=XXXXXX,DC=com"), "Enterprise Admins",
                             1==1,"normal" )
|eval endDate=""
|eval watchlist="false"
|table sAMAccountName ,personalTitle,displayName,givenName,sn,suffix,mail,telephoneNumber,mobile,manager,priority,department,category,watchlist,startDate,endDate
|rename sAMAccountName as identity,personalTitle as prefix, displayName as nick, givenName as first, sn as last, mail as email, telephoneNumber as phone, mobile as phone2, manager as managedBy, department as bunit 

Enterprise ADmins is not working here?