Splunk Search

How do you use the join command in an LDAP search?

solarboyz1
Builder

I am trying to create a search against our LDAP strategy to show the capabilities, indexes, and users assigned to each role.

Capabilities and indexes are easy enough to get, however, I'm stuck on the last part, which is to get ALL users in the AD group assigned to each role.

| rest /servicesNS/nobody/system/admin/LDAP-groups splunk_server=local
| mvexpand roles
| join roles
[
 | rest /servicesNS/nobody/system/admin/roles splunk_server=local
 | rename title as roles
 | eval ucaps=mvjoin(capabilities, ", ")
 | eval icaps=mvjoin(imported_capabilities, ", ")
 | eval uidx=mvjoin(srchIndexesAllowed,",")
 | eval iidx=mvjoin(imported_srchIndexesAllowed, ",")
 | eval idx=mvappend(iidx,uidx)
 | eval caps=mvappend(icaps,ucaps)
 | table roles caps idx
]
| eval roles=mvjoin(roles, " ")
| stats values(roles) as roles, values(caps) as capabilities, values(idx) as indexes, by  title 
| rename title as group
| foreach group
[ | ldapsearch search="(&(objectCategory=group)(cn="<<FIELD>>*"))" attrs="distinguishedName,member" | rex field=distinguishedName "CN=(?<group>[^,]+)," | stats values(member) as members by group | table members group ]
0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

&#x1f342; Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...