Splunk Search

Querying AD accounts and email addresses

Sotu
Engager

I am able to pull my AD users account information successfully except for their email addresses.  What am I doing wrong? Apologize since I am still learning.

 

| inputlookup AD_Obj_User WHERE domain="mydomain"
| fields domain, sAMAccountName, userAccountControl, uac_details,domain, distinguishedName, mail, whenChanged,whenCreated
| table domain, sAMAccountName, userAccountControl, uac_details,domain, distinguishedName, mail, whenChanged,whenCreated
| eval uac_details=replace(mvjoin(uac_details,":"),"([\r\n]+)",":")
| makemv delim=":" uac_details
| search [| makeresults | eval uac_details=replace("#empty#,#empty#,#empty#,#empty#,#empty#,#empty#,#empty#,#empty#,#empty#,#empty#,#empty#,#empty#,#empty#,#empty#","#empty#","")
| makemv delim="," uac_details
| eval mfilt_uac=mvfilter(match(uac_details,"^\w+"))
| eval search=if(isnull(mfilt_uac),"","uac_details=\"".mvjoin(mfilt_uac,"\" AND uac_details=\"")."\"")
| table search]
| sort 0 sAMAccountName
| rename sAMAccountName AS "user", uac_details AS userAccountControl_Details
Labels (3)
0 Karma

yuanliu
SplunkTrust
SplunkTrust

The First Law of asking an answerable question states:

Present your dataset (anonymize as needed), illustrate desired output from illustrated dataset, explain the logic between illustrated dataset and desired output. (Without SPL.)

If attempted SPL does not give desired output, also illustrate actual output (anonymize as needed), then explain its difference from desired results if it is not painfully clear.

I am able to pull my AD users account information successfully except for their email addresses. 

Can you explain from which source are you pulling AD info?  Your SPL only uses a lookup file.  Do you mean

  1. lookup table AD_Obj_User contains email addresses but the illustrated SPL does not output them, or
  2. your effort to populate AD_Obj_User fails to obtain email addresses from a legitimate AD source (as @deepakc speculated)?

If former, what is the purpose of the SPL?  What is the content of AD_Obj_User?  What is the desired output and the logic between the content and desired output?

If latter, what is the purpose of showing SPL?

deepakc
Builder


It  could be a permissions issue you need read the email address attribute ((&(objectClass=user)(objectCategory=person)(mail=*))) check the user permissions that is being used to pull the LDAP data, see your AD admin. Or run something like the below to check under that user account.  

dsquery user -samid username | dsget user -email



If not, f
ind out how it’s being populated, normally its done via the ldap search command see references below.

Check the ldap search that creates the lookup and you should have the data there, this may have been created already as a secluded search.

Reference:

Ldap Search using the command

https://docs.splunk.com/Documentation/SA-LdapSearch/3.0.8/User/Theldapsearchcommand

Ldap Add-on
https://docs.splunk.com/Documentation/SA-LdapSearch/3.0.8/User/AbouttheSplunkSupportingAdd-onforActi... 

0 Karma
Get Updates on the Splunk Community!

Splunk Smartness with Brandon Sternfield | Episode 3

Hello and welcome to another episode of "Splunk Smartness," the interview series where we explore the power of ...

Monitoring Postgres with OpenTelemetry

Behind every business-critical application, you’ll find databases. These behind-the-scenes stores power ...

Mastering Synthetic Browser Testing: Pro Tips to Keep Your Web App Running Smoothly

To start, if you're new to synthetic monitoring, I recommend exploring this synthetic monitoring overview. In ...