Splunk Enterprise Security

OpenLDAP add-on fields extraction

kevinleeV
New Member

I recently installed openldap add-on on both splunk cloud instance and splunk enterprise security instance

https://splunkbase.splunk.com/app/3520/

However, the fields extraction only occurs within splunk cloud instance, not ES. How does this happen? What would be a fix for this?
alt text

0 Karma

kchamplin_splun
Splunk Employee
Splunk Employee

This is likely due to app-imports-update mod input not configured to accept the OpenLDAP app name:
https://docs.splunk.com/Documentation/ES/5.1.0/Install/ImportCustomApps

0 Karma

kevinleeV
New Member

I can see Splunk_TA_openldap being imported within ES when below command is performed. Seems like apps are being imported

| rest /servicesNS/admin/system/apps/local/SplunkEnterpriseSecuritySuite/import splunk_server=local | fields import

0 Karma

kthammireddygar
Path Finder

i assume you have done debug/refresh.

Search :
index=yourindex sourcetype=ldap modifiersname=*

try this search on both the instances.

0 Karma

kevinleeV
New Member

When your modifiedersname is searched in ES, no results get returned, while you get a bunch of data within Splunk cloud

0 Karma

kthammireddygar
Path Finder

Can you please check Permissions for openldap add-on?
Is it Private or Global or App?
Please make it Global.

0 Karma

kevinleeV
New Member

It was set to App and I changed to Global. However, there is no difference in fields extraction.

0 Karma