Modification of the "_raw" field

nembela · ‎10-04-2021

Hi,

I havethe following search

index="windows" source=WinEventLog:Security  ([| inputlookup windows_group_change_events | where group_action like "member added" or group_action like "member removed" |  fields EventCode ]) NOT src_user=portalsync
|  ldapfilter search="(&(objectClass=group)(cn=$Group_Name$))" attrs="distinguishedname,description, info"
| eval _raw = json_object("time", _time, "action_by", src_user, "event_code", EventCode, "group", mvindex(Security_ID, 2), "member", mvindex(Security_ID, 1),"orig_sourcetype", sourcetype, "orig_host", host, "dn", distinguishedName, "desc", description, "info", info ) 
| fields _time, _raw
| collect index=windows_ad_summary addtime=0 source="windows_group_management"

I try to save the group membership change events to a different index for long-term retention.

I got the original idea from here: https://conf.splunk.com/files/2017/slides/using-splunk-enterprise-to-optimize-tailored-longterm-data...

My problem is that this search always returns "no results".

If I omit the "fields" and "collect" commands it returns results as intended. Also if I omit the "ldapfilter" command it works just fine.

Do you have any idea what is the problem with the combination of "ldapfilter" and "fields"?

Thanks,

Laszlo

Edit: I'm using Splunk 8.0.9

Modification of the "_raw" field

using Splunk Enterprise

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

SignalFlow: What? Why? How?

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows