I need to create a search that can retrieve a list of privileged group members from my LDAP server so I can then use that list in my search string.
For example, if I wanted to list all users who are or are not privileged group members I could say something like:
index=* user=* | stats count by user (EXCLUDING ALL OTHER USERS IN THE LIST OF LDAP PRIVILEGED GROUP MEMBERS I RETRIEVED)
I have looked into trying to use a external scripted lookup that will connect to my LDAP and do a query but no luck yet.
I am also seeing some answers that say to use something like this:
| rest /services/authentication/users splunk_server=local | table realname
no idea what exactly that does or what/where
How can I accomplish this?
To get the list of users in the system use the below search,
| rest /services/authentication/users splunk_server=local | table type, title, roles, realname email *
To get only the LDAP users you have to filter the type, where
type=LDAP is LDAP user and
type=Splunk is Splunk created user,
| rest /services/authentication/users splunk_server=local | where type="LDAP" | table type, title, roles, realname email *
Hope this helps you !!
Yea I have permissions. But this doesn't sound like what I need or maybe I just don't fully understand what this is doing. I need to be able to actually connect to my LDAP server and get a list of privileged group members from the LDAP.
LDAP users which are access to the Splunk will be list down in the rest command.
if you want to query the LDAP, Usually organizations will use the some GUI for LDAP / Active Directory,
you can use the
Add-on SA-LDAPSearch .