Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do you feed a variable to an LDAP search to resolve account name to displayname?

splunkbacon
Explorer
‎09-26-2018 06:18 AM

I'm having an issue taking a search I have and feeding one of the results to an LDAP search to generate a new field that resolves the account name to the display name. Does anyone have any examples of how this can be done?

Below is an example of what i'm trying to do. This search results a field "user" which i want to use as the basis to search LDAP to resolve the displayname. However, i'm having some syntax errors

index=events EventCode = 8004 | eval displayname =  ldapsearch domain=test.local search="(objectClass=user)" attrs="displayName,sAMAccountName,userAccountControl" | where userAccountControl = "NORMAL_ACCOUNT" AND sAMAccountName =  "$user$"
Tags (3)
0 Karma
Reply

splunkbacon
Explorer
‎09-26-2018 06:36 AM

I think i figured it out using ldapfilter instead of ldapsearch.

0 Karma
Reply

mstjohn_splunk
Splunk Employee
Splunk Employee
‎09-26-2018 09:40 AM

hey @splunkbacon

I'm glad you figured out a solution to your problem! Would you mind explaining how you did this as an answer and then approving it so others can learn from your experience? Thanks.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In January, the Splunk Threat Research Team had one release of new security content via the Splunk ES Content ...

Expert Tips from Splunk Professional Services, Ensuring Compliance, and More New ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Observability Release Update: AI Assistant, AppD + Observability Cloud Integrations & ...

This month’s releases across the Splunk Observability portfolio deliver earlier detection and faster ...