OpenLDAP add-on fields extraction

kevinleeV · ‎06-28-2018

I recently installed openldap add-on on both splunk cloud instance and splunk enterprise security instance

However, the fields extraction only occurs within splunk cloud instance, not ES. How does this happen? What would be a fix for this?

kchamplin_splun · ‎06-29-2018

This is likely due to app-imports-update mod input not configured to accept the OpenLDAP app name:
https://docs.splunk.com/Documentation/ES/5.1.0/Install/ImportCustomApps

kevinleeV · ‎06-29-2018

I can see Splunk_TA_openldap being imported within ES when below command is performed. Seems like apps are being imported

| rest /servicesNS/admin/system/apps/local/SplunkEnterpriseSecuritySuite/import splunk_server=local | fields import

kthammireddygar · ‎06-28-2018

i assume you have done debug/refresh.

Search :
index=yourindex sourcetype=ldap modifiersname=*

try this search on both the instances.

kevinleeV · ‎06-29-2018

When your modifiedersname is searched in ES, no results get returned, while you get a bunch of data within Splunk cloud

kthammireddygar · ‎06-29-2018

Can you please check Permissions for openldap add-on?
Is it Private or Global or App?
Please make it Global.

kevinleeV · ‎06-29-2018

It was set to App and I changed to Global. However, there is no difference in fields extraction.