Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do you feed a variable to an LDAP search to resolve account name to displayname?

splunkbacon
Explorer
‎09-26-2018 06:18 AM

I'm having an issue taking a search I have and feeding one of the results to an LDAP search to generate a new field that resolves the account name to the display name. Does anyone have any examples of how this can be done?

Below is an example of what i'm trying to do. This search results a field "user" which i want to use as the basis to search LDAP to resolve the displayname. However, i'm having some syntax errors

index=events EventCode = 8004 | eval displayname =  ldapsearch domain=test.local search="(objectClass=user)" attrs="displayName,sAMAccountName,userAccountControl" | where userAccountControl = "NORMAL_ACCOUNT" AND sAMAccountName =  "$user$"
Tags (3)
0 Karma
Reply

splunkbacon
Explorer
‎09-26-2018 06:36 AM

I think i figured it out using ldapfilter instead of ldapsearch.

0 Karma
Reply

mstjohn_splunk
Splunk Employee
Splunk Employee
‎09-26-2018 09:40 AM

hey @splunkbacon

I'm glad you figured out a solution to your problem! Would you mind explaining how you did this as an answer and then approving it so others can learn from your experience? Thanks.

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...