Splunk Search

How to find a specific user in an Active Directory lookup using ldapsearch command?

pfabrizi
Path Finder

I have the following ldapsearch

| ldapsearch domain="PROD" search="(&(objectClass=group)(cn=DSMS Operations))"  | table member,cn,distinguishedName |ldapgroup domain=PROD  | table member_name  | outputlookup itocusers.csv

the members are returned but in a single event, so the event written to the CSV looks like this:
"member_name"
"user1
user2
user3
user4"

When trying to do a lookup it can't find the specific user, however if I remove the quotes it works. I have tried rex, makemv to remove this with no success.

0 Karma

woodcock
Esteemed Legend

Like this:

| ldapsearch domain="PROD" search="(&(objectClass=group)(cn=DSMS Operations))" 
| table member,cn,distinguishedName
| ldapgroup domain=PROD
| table member_name
| rex field=member_name mode=sed "s/^\"// s/\"$//"
| mvexpand delim="
" member_name
| outputlookup itocusers.csv
0 Karma

pfabrizi
Path Finder

Thanks, the second query looks much better, What I am seeing is quotes wrapped around those accounts that have special characters,
so it would look like this:
user1
"user2_test"
user2

I am trying to understand the regex. I know the ^\" and \"$ look for the quotes at the start and end of the string. but not sure what the

s/ and the // do? I think this is where I would have it look for the _ in the name.

Thanks!

0 Karma

woodcock
Esteemed Legend

This is not what you showed in your example; my solution is stripping the bounding double-quotes (the one at the very beginning and the one at the very end), which is all that was shown. Based on the explanation given by @rich7177 should give you the understanding that you need to adjust the solution.

0 Karma

Richfez
SplunkTrust
SplunkTrust

It's rex used in sed mode, which is an old unix utility "stream editor". What it does is substitute characters in a stream of characters.

There are TWO substitutes in one command- I think you'll see more easily what's going on if we rewrote this to two separate sed modes.

| rex field=member_name mode=sed "s/^\"//"
| rex field=member_name mode=sed "s/\"$//"

Now that there's two, it's a lot easier. I'll just to the first one in detail.

The main gist is s for substitute, then you'll see three delimiters in there /. Substitute what's in the second set for whatever's in the first. s/what I search for/what I replace with/. So if I ran that <-- immediately preceding sed against the sentence "This is what I search for" I would get as output "This is what I replace with".

In this case, substitute // <-- nothing, empty between those last two delimiters, any time you find ^\", or a quote at the beginning.

The second one is the same thing only searches for a quote at the end of the string/stream/whatever.

I believe, by the way, if you know for sure there will never be a quote mark inside the string, you could just do

.... | rex mode=sed "s/\"//g"

That g at the end is a flag to say "globally", or in other words do that substitution as many time as it can. And since we've removed the anchors for beginning or end, it'll substitute ALL quotes with nothings.

Does that help?

0 Karma

adonio
Ultra Champion

maybe like this:

 | ldapsearch domain="PROD" search="(&(objectClass=group)(cn=DSMS Operations))"  
 | table member,cn,distinguishedName 
 |ldapgroup domain=PROD  
 | table member_name 
 | makemv delim=" " member_name 
 | mvexpand member_name
 | outputlookup itocusers.csv

hope it helps

0 Karma

pfabrizi
Path Finder

I changed my query to this:
| ldapsearch domain="PROD" search="(&(objectClass=group)(cn=DSMS Operations))"
| table member,cn,distinguishedName
| ldapgroup domain=PROD
| table member_name
| rex field=member_name mode=sed "s/\"//g"
| mvexpand member_name
| outputlookup itocusers.csv

I am still seeing the quotes around the user names that have a special character.

looks like this:

users1
users2
"users2_test"
"user3_test"

is this going to require a script that runs nightly to do this?

Thanks!

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...