Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to use ldap filter to find duplicate values?

Niro
Explorer
‎08-08-2023 01:45 PM

Hello,

I'm trying to set up an alert when someone creates or modifies an Active Directory account with a uidNumber that already exists in another account.

I already have a search that finds changes to accounts (below). I want to modify this search so that if the Property that changed is "uidNumber" then search ldap to see if it already exists on another account, and send an alert that contains both new and existing accounts names, uidnumber, and admin that made the change.

This is the current search I have to find all changes

As a separate sort of related question - any idea why when I remove "obj_dn" from the table command I get no results at all? I'm using ldapfilter here to get the cn of an object using the obj_dn field, but I didn't think I needed it anymore after that

 

 

index=wineventlog EventCode=5136 sourcetype=WinEventLog
| sort -_time
| ldapfilter domain=*** search="(DistinguishedName=$obj_dn$)" attrs="cn"
| rename cn as affected_user, LDAP_Display_Name as Property, dir_svcs_action as action
| table _time, Account_Name, Property, Value, action, affected_user, obj_dn

 

Labels (3)
Labels
Tags (2)
0 Karma
Reply

Niro
Explorer
‎08-12-2023 10:32 PM

I made SOME progress on this by using map. This returns the duplicate value, however I also want to get the "Account_Name" field of the original search - anyway to do that?

 

index="wineventlog" EventCode=5136 LDAP_Display_Name=uidNumber
| rename Value as uidNumber
| fields user, uidNumber, Account_Name
| map search="| ldapsearch domain=*** search="(uidNumber=$uidNumber$)" attrs="*""
| stats values(uidNumber) as uidNumber, values(dn) as dn, values(cn) as cn
0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎08-13-2023 10:42 PM

I have a suspicion that Account_Name and uidNumber are equally populated, and that your intention is to get one row per uidNumber, not a multivalued uidNumber.  If this is correct, just put Account_Name and uidNumber in groupby.

index="wineventlog" EventCode=5136 LDAP_Display_Name=uidNumber
| rename Value as uidNumber
| fields user, uidNumber, Account_Name
| map search="| ldapsearch domain=*** search="(uidNumber=$uidNumber$)" attrs="*""
| stats values(dn) as dn, values(cn) as cn by Account_Name uidNumber

 If Account_Name may be null with a valid uidNumber, you can use values to preserve null values, like

index="wineventlog" EventCode=5136 LDAP_Display_Name=uidNumber
| rename Value as uidNumber
| fields user, uidNumber, Account_Name
| map search="| ldapsearch domain=*** search="(uidNumber=$uidNumber$)" attrs="*""
| stats values(Account_Name) as Account_Name values(dn) as dn, values(cn) as cn by uidNumber

 

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

A Guide To Cloud Migration Success

As enterprises’ rapid expansion to the cloud continues, IT leaders are continuously looking for ways to focus ...

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...