Splunk Search

Filter a ldapsearch query for a specific group using a wildcard?

krisdev
New Member

| ldapsearch domain=default search="(sAMAccountNAme=%user%)" attrs="memberOf", is the query I am using but I want to filter the results to only include users that are part of a Citrix group, is there a way?

Tags (1)
0 Karma
1 Solution

to4kawa
Ultra Champion
| stats count
| eval user=split("Allice,Bob,Smith,Ken,Cathey,Jeff,Tom,Bekkey",",")
| mvexpand user
| eval count=random() % 2
| eval memberOf=case(count==1,"Citrix",count==0,"notCitrix")
| fields user,memberOf
| where memberOf=="Citrix"

Hi, This is sample query.

| ldapsearch domain=default search="(sAMAccountNAme=%user%)" attrs="sAMAccountNAme,memberOf"
| where memberOf=="Citrix"

How about this? please change Citrix to an appropriate name.

View solution in original post

0 Karma

to4kawa
Ultra Champion
| stats count
| eval user=split("Allice,Bob,Smith,Ken,Cathey,Jeff,Tom,Bekkey",",")
| mvexpand user
| eval count=random() % 2
| eval memberOf=case(count==1,"Citrix",count==0,"notCitrix")
| fields user,memberOf
| where memberOf=="Citrix"

Hi, This is sample query.

| ldapsearch domain=default search="(sAMAccountNAme=%user%)" attrs="sAMAccountNAme,memberOf"
| where memberOf=="Citrix"

How about this? please change Citrix to an appropriate name.

0 Karma

krisdev
New Member

Let me give this a go, will report back

0 Karma

krisdev
New Member

This has seemed to scratch the itch I had with filtering by group, thanks @to4kawa .

0 Karma

to4kawa
Ultra Champion

your welcome, happy Splunking

by the way

% user% → $ user $

it might be?

0 Karma

krisdev
New Member

Thanks, yeah I always mix those two up all good!

0 Karma

to4kawa
Ultra Champion

Yes, Happy Splunking.

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...