Splunk Search

How to calculate set flags in a numeric value in a search?

dominiquevocat
Motivator

I have a numeric value representing flags. It is the value in userAccountControl defined as follows:

typedef enum {
ADS_UF_SCRIPT = 1,        // 0x1
ADS_UF_ACCOUNTDISABLE = 2,        // 0x2
ADS_UF_HOMEDIR_REQUIRED = 8,        // 0x8
ADS_UF_LOCKOUT = 16,       // 0x10
ADS_UF_PASSWD_NOTREQD = 32,       // 0x20
ADS_UF_PASSWD_CANT_CHANGE = 64,       // 0x40
ADS_UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED = 128,      // 0x80
ADS_UF_TEMP_DUPLICATE_ACCOUNT = 256,      // 0x100
ADS_UF_NORMAL_ACCOUNT = 512,      // 0x200
ADS_UF_INTERDOMAIN_TRUST_ACCOUNT = 2048,     // 0x800
ADS_UF_WORKSTATION_TRUST_ACCOUNT = 4096,     // 0x1000
ADS_UF_SERVER_TRUST_ACCOUNT = 8192,     // 0x2000
ADS_UF_DONT_EXPIRE_PASSWD = 65536,    // 0x10000
ADS_UF_MNS_LOGON_ACCOUNT = 131072,   // 0x20000
ADS_UF_SMARTCARD_REQUIRED = 262144,   // 0x40000
ADS_UF_TRUSTED_FOR_DELEGATION = 524288,   // 0x80000
ADS_UF_NOT_DELEGATED = 1048576,  // 0x100000
ADS_UF_USE_DES_KEY_ONLY = 2097152,  // 0x200000
ADS_UF_DONT_REQUIRE_PREAUTH = 4194304,  // 0x400000
ADS_UF_PASSWORD_EXPIRED = 8388608,  // 0x800000
ADS_UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION  = 16777216 // 0x1000000
} ADS_USER_FLAG_ENUM;

So i seek to know if the user is locked but i would be interested in a more generic approach. Perhaps a lookup and a custom command? search language is prefered though.

aweitzman
Motivator

I did the following in props.conf to handle this, but you could easily adapt it for the search language:

EVAL-bit1 = (flagField%2)
EVAL-bit2 = (floor(flagField/2)%2)
EVAL-bit3 = (floor(flagField/4)%2)
...

This assigns 0 or 1 to a field bit(n) based on its value in the bitmap field.

So in your case, in the search bar you might say:

... | eval IsLocked=(floor(ADS_USER_FLAG_ENUM/16)%2) | ...

Hope this helps.

dominiquevocat
Motivator

Looks neat, will give it a go. Actually the v1 of SA-ldapsearch did this parsing, the new version 2 does not yet do it! Something for Adrian Hall? 🙂

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...