Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

LDAP Search with REGEX to table out members of specific groups

silversides
Loves-to-Learn
‎02-13-2025 07:48 AM

Trying to build a search that will leverage ldapsearch to pull a current list of users that are members of a specific list of groups.  For example some groups may be


CN=Schema Admins,OU=groups,DC=domain,DC=xxx
CN=Enterprise Admins,OU=group1,OU=groups,DC=domain,DC=xxx
CN=Domain Admins Admins,OU=group1,OU=groups,DC=domain,DC=xxx

This rex (?<=CN=)[^,]+ will grab the group name but having trouble pulling this all together

This needs to search any group we want to include by specific name and then table out a list of the users that are members of each group sorted by the group name

 

Labels (4)
Labels
0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎02-15-2025 10:31 PM

This needs to search any group we want to include by specific name and then table out a list of the users that are members of each group sorted by the group name

First, you need to illustrate how a user is represented in Splunk data.  Is memberOf already extracted into one string?   Second, you need to illustrate what is the form of that "specific name" by which you wish to use in Splunk search.  As your example LDAP search indicates, LDAP group is more than just CN, but a group of attributes strung together as a unique identifier.  Are you going to search only by CN?

0 Karma
Reply

silversides
Loves-to-Learn
‎02-13-2025 09:44 AM

Appreciate the link, I'll have to dig into that 

I was hoping to get a working example here though that I could use and customize on my own

0 Karma
Reply

silversides
Loves-to-Learn
‎02-13-2025 08:36 AM

if this helps, this is how we currently list the members of a specific AD Group
ldapsearch search="(&(objectClass=user)(memberOf=CN=Schema Admins,OU=groups,DC=domain,DC=xxx))"

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎02-13-2025 08:42 AM

Search for all your users then extract the CN using the rex.

If you are trying the tighten your search criteria, here is the spec for searches https://datatracker.ietf.org/doc/html/rfc2254

0 Karma
Reply

silversides
Loves-to-Learn
‎02-13-2025 08:25 AM

Example table output would be something like

User1  Schema Admins
User2  Schema Admins
User1  Enterprise Admins
User3  Domain Admins

 

 

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎02-13-2025 08:33 AM

You are almost there - assuming your field is _raw

| rex "(?<groups>(?<=CN=)[^,]+)"
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎02-13-2025 08:03 AM

The rex "grabs" the CN - is this what you want to search for?

Please can you give examples of what you are trying to "grab" from these strings?

0 Karma
Reply
Get Updates on the Splunk Community!

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...

AppDynamics is now part of Splunk Ideas

Hello Splunkers, We have exciting news for you! AppDynamics has been added to the Splunk Ideas Portal. Which ...

Advanced Splunk Data Management Strategies

Join us on Wednesday, May 14, 2025, at 11 AM PDT / 2 PM EDT for an exclusive Tech Talk that delves into ...