Splunk Search

Filter a ldapsearch query for a specific group using a wildcard?

krisdev
New Member

| ldapsearch domain=default search="(sAMAccountNAme=%user%)" attrs="memberOf", is the query I am using but I want to filter the results to only include users that are part of a Citrix group, is there a way?

Tags (1)
0 Karma
1 Solution

to4kawa
Ultra Champion
| stats count
| eval user=split("Allice,Bob,Smith,Ken,Cathey,Jeff,Tom,Bekkey",",")
| mvexpand user
| eval count=random() % 2
| eval memberOf=case(count==1,"Citrix",count==0,"notCitrix")
| fields user,memberOf
| where memberOf=="Citrix"

Hi, This is sample query.

| ldapsearch domain=default search="(sAMAccountNAme=%user%)" attrs="sAMAccountNAme,memberOf"
| where memberOf=="Citrix"

How about this? please change Citrix to an appropriate name.

View solution in original post

0 Karma

to4kawa
Ultra Champion
| stats count
| eval user=split("Allice,Bob,Smith,Ken,Cathey,Jeff,Tom,Bekkey",",")
| mvexpand user
| eval count=random() % 2
| eval memberOf=case(count==1,"Citrix",count==0,"notCitrix")
| fields user,memberOf
| where memberOf=="Citrix"

Hi, This is sample query.

| ldapsearch domain=default search="(sAMAccountNAme=%user%)" attrs="sAMAccountNAme,memberOf"
| where memberOf=="Citrix"

How about this? please change Citrix to an appropriate name.

0 Karma

krisdev
New Member

Let me give this a go, will report back

0 Karma

krisdev
New Member

This has seemed to scratch the itch I had with filtering by group, thanks @to4kawa .

0 Karma

to4kawa
Ultra Champion

your welcome, happy Splunking

by the way

% user% → $ user $

it might be?

0 Karma

krisdev
New Member

Thanks, yeah I always mix those two up all good!

0 Karma

to4kawa
Ultra Champion

Yes, Happy Splunking.

0 Karma
Get Updates on the Splunk Community!

Financial Services Industry Use Cases, ITSI Best Practices, and More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Splunk Federated Analytics for Amazon Security Lake

Thursday, November 21, 2024  |  11AM PT / 2PM ET Register Now Join our session to see the technical ...

Splunk With AppDynamics - Meet the New IT (And Engineering) Couple

Wednesday, November 20, 2024  |  10AM PT / 1PM ET Register Now Join us in this session to learn all about ...