I am trying to create a search against our LDAP strategy to show the capabilities, indexes, and users assigned to each role.
Capabilities and indexes are easy enough to get, however, I'm stuck on the last part, which is to get ALL users in the AD group assigned to each role.
| rest /servicesNS/nobody/system/admin/LDAP-groups splunk_server=local
| mvexpand roles
| join roles
[
| rest /servicesNS/nobody/system/admin/roles splunk_server=local
| rename title as roles
| eval ucaps=mvjoin(capabilities, ", ")
| eval icaps=mvjoin(imported_capabilities, ", ")
| eval uidx=mvjoin(srchIndexesAllowed,",")
| eval iidx=mvjoin(imported_srchIndexesAllowed, ",")
| eval idx=mvappend(iidx,uidx)
| eval caps=mvappend(icaps,ucaps)
| table roles caps idx
]
| eval roles=mvjoin(roles, " ")
| stats values(roles) as roles, values(caps) as capabilities, values(idx) as indexes, by title
| rename title as group
| foreach group
[ | ldapsearch search="(&(objectCategory=group)(cn="<<FIELD>>*"))" attrs="distinguishedName,member" | rex field=distinguishedName "CN=(?<group>[^,]+)," | stats values(member) as members by group | table members group ]