Splunk Search

How to calculate set flags in a numeric value in a search?

dominiquevocat
SplunkTrust
SplunkTrust

I have a numeric value representing flags. It is the value in userAccountControl defined as follows:

typedef enum {
ADS_UF_SCRIPT = 1,        // 0x1
ADS_UF_ACCOUNTDISABLE = 2,        // 0x2
ADS_UF_HOMEDIR_REQUIRED = 8,        // 0x8
ADS_UF_LOCKOUT = 16,       // 0x10
ADS_UF_PASSWD_NOTREQD = 32,       // 0x20
ADS_UF_PASSWD_CANT_CHANGE = 64,       // 0x40
ADS_UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED = 128,      // 0x80
ADS_UF_TEMP_DUPLICATE_ACCOUNT = 256,      // 0x100
ADS_UF_NORMAL_ACCOUNT = 512,      // 0x200
ADS_UF_INTERDOMAIN_TRUST_ACCOUNT = 2048,     // 0x800
ADS_UF_WORKSTATION_TRUST_ACCOUNT = 4096,     // 0x1000
ADS_UF_SERVER_TRUST_ACCOUNT = 8192,     // 0x2000
ADS_UF_DONT_EXPIRE_PASSWD = 65536,    // 0x10000
ADS_UF_MNS_LOGON_ACCOUNT = 131072,   // 0x20000
ADS_UF_SMARTCARD_REQUIRED = 262144,   // 0x40000
ADS_UF_TRUSTED_FOR_DELEGATION = 524288,   // 0x80000
ADS_UF_NOT_DELEGATED = 1048576,  // 0x100000
ADS_UF_USE_DES_KEY_ONLY = 2097152,  // 0x200000
ADS_UF_DONT_REQUIRE_PREAUTH = 4194304,  // 0x400000
ADS_UF_PASSWORD_EXPIRED = 8388608,  // 0x800000
ADS_UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION  = 16777216 // 0x1000000
} ADS_USER_FLAG_ENUM;

So i seek to know if the user is locked but i would be interested in a more generic approach. Perhaps a lookup and a custom command? search language is prefered though.

aweitzman
Motivator

I did the following in props.conf to handle this, but you could easily adapt it for the search language:

EVAL-bit1 = (flagField%2)
EVAL-bit2 = (floor(flagField/2)%2)
EVAL-bit3 = (floor(flagField/4)%2)
...

This assigns 0 or 1 to a field bit(n) based on its value in the bitmap field.

So in your case, in the search bar you might say:

... | eval IsLocked=(floor(ADS_USER_FLAG_ENUM/16)%2) | ...

Hope this helps.

dominiquevocat
SplunkTrust
SplunkTrust

Looks neat, will give it a go. Actually the v1 of SA-ldapsearch did this parsing, the new version 2 does not yet do it! Something for Adrian Hall? 🙂

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...