Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Command ldapsearch and collect to index data

bmarona
Explorer
‎01-22-2021 12:01 AM

Hello Everyone,

 

I need help because I have issues with collect command and with data from LDAP (collected with ldapsearch command).
My goal is to collect data from ldap with command "| ldapsearch domain=default search="(&(objectClass=user))" attrs="<attribute_list>" " and index it in "ldapdata" index. For this purpose I wanted to use collect command "| collect index=ldapdata sourcetype=ldap".
From ldapsearch i get events:
_raw1 = {JSON 1}
_raw2 = {JSON 2}
_raw3 = {JSON 3}
.
.
.
_rawN = {JSON N}

After collect command I get this events as one big event in ldap index ($ is end of line):
_raw1 = {JSON 1}${JSON 2}${JSON 3}$...{JSON N}$

Can somebody advise solution on how to index mentioned data in the index as separated JSON events?

Thanks for your help!

0 Karma
Reply

scelikok
SplunkTrust
SplunkTrust
‎01-22-2021 01:15 AM

Hi @bmarona,

If you put a table for the attribute_fields command before collect, you will have separate events. Please try the below sample; 

| ldapsearch domain=default search="(&(objectClass=user))" attrs="<attribute_list>" 
| table <attribute_list>

 

If this reply helps you an upvote is appreciated.

If this reply helps you an upvote and "Accept as Solution" is appreciated.
Reply

bmarona
Explorer
‎01-22-2021 03:18 AM

@scelikokThanks for the quick answer, tricks with table works - so there is no way to ingest it as JSON?

0 Karma
Reply

scelikok
SplunkTrust
SplunkTrust
‎01-22-2021 03:27 AM

@bmarona,

You can use table for _raw field.

| ldapsearch domain=default search="(&(objectClass=user))" attrs="<attribute_list>" 
| table _raw

 

If this reply helps you an upvote is appreciated.

If this reply helps you an upvote and "Accept as Solution" is appreciated.
Reply

bmarona
Explorer
‎01-22-2021 03:38 AM

@scelikokUnfortunately | table _raw doesn't work - it still connects events into one big event. So I believe I need to stick to a table version of attributes which is much worse in regards to readability.

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | Why did the turkey cross the road?

November 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  &#x1f680; Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...