Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to extract fields from /services/authentication/current-context?

Cbr1sg
Path Finder
‎06-03-2018 08:16 PM

Hello all,
The command
| rest /services/authentication/current-context
will return some fields like username, email, realname, etc..
I want to get other fields on LDAP like Telephone Number, SIP address, etc..
Is it possible?
Thanks

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎06-04-2018 02:08 AM

You'll need a secondary data source, e.g. ldapsearch, to retrieve that information, use the username returned by current-context as a filter.

https://splunkbase.splunk.com/app/1151/

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎06-04-2018 02:08 AM

You'll need a secondary data source, e.g. ldapsearch, to retrieve that information, use the username returned by current-context as a filter.

https://splunkbase.splunk.com/app/1151/

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎06-04-2018 02:25 AM

SA-ldapsearch runs on linux splunk servers.

If you don't have AD, consider https://splunkbase.splunk.com/app/3872/

0 Karma
Reply
Solved! Jump to solution

Cbr1sg
Path Finder
‎06-04-2018 11:50 PM

after tried again, i finally made this works. Thanks a lot!

0 Karma
Reply
Solved! Jump to solution

Cbr1sg
Path Finder
‎06-04-2018 02:25 AM

i already looked into this, unfortunately my server is linux so this solution is not compatible, do you have other suggestion for linux? Thanks

0 Karma
Reply
Solved! Jump to solution

Sukisen1981
Champion
‎06-04-2018 01:43 AM

Well, you can always define regular expressions to fetch needed field value, are you looking to extract ALL fields automatically? There is limitations on that

0 Karma
Reply
Solved! Jump to solution

Cbr1sg
Path Finder
‎06-04-2018 01:59 AM

I want to get these 2 fields SipAddress and Phone, could you please advise what regex to use and where can I apply it?

Thanks

0 Karma
Reply
Solved! Jump to solution

Sukisen1981
Champion
‎06-04-2018 02:03 AM

can you post a sample of your events as they appear in splunk?

0 Karma
Reply
Solved! Jump to solution

Cbr1sg
Path Finder
‎06-04-2018 02:24 AM

I think you might have misunderstood my question, and sorry as I wasn't clear enough.

I want to get additional information which does NOT exist in current-context,
When the user authenticates using LDAP username/password, Splunk does the ldap lookup and returns some of standard fields like username, email, realname, etc..
Besides those fields, i want to get something else which is missing, for example Phone and SipAddress

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Event Series: Splunk Observability Metrics Cost Optimization

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...