I am able to pull my AD users account information successfully except for their email addresses. What am I doing wrong? Apologize since I am still learning.
| inputlookup AD_Obj_User WHERE domain="mydomain"
| fields domain, sAMAccountName, userAccountControl, uac_details,domain, distinguishedName, mail, whenChanged,whenCreated
| table domain, sAMAccountName, userAccountControl, uac_details,domain, distinguishedName, mail, whenChanged,whenCreated
| eval uac_details=replace(mvjoin(uac_details,":"),"([\r\n]+)",":")
| makemv delim=":" uac_details
| search [| makeresults | eval uac_details=replace("#empty#,#empty#,#empty#,#empty#,#empty#,#empty#,#empty#,#empty#,#empty#,#empty#,#empty#,#empty#,#empty#,#empty#","#empty#","")
| makemv delim="," uac_details
| eval mfilt_uac=mvfilter(match(uac_details,"^\w+"))
| eval search=if(isnull(mfilt_uac),"","uac_details=\"".mvjoin(mfilt_uac,"\" AND uac_details=\"")."\"")
| table search]
| sort 0 sAMAccountName
| rename sAMAccountName AS "user", uac_details AS userAccountControl_Details
The First Law of asking an answerable question states:
Present your dataset (anonymize as needed), illustrate desired output from illustrated dataset, explain the logic between illustrated dataset and desired output. (Without SPL.)
If attempted SPL does not give desired output, also illustrate actual output (anonymize as needed), then explain its difference from desired results if it is not painfully clear.
I am able to pull my AD users account information successfully except for their email addresses.
Can you explain from which source are you pulling AD info? Your SPL only uses a lookup file. Do you mean
If former, what is the purpose of the SPL? What is the content of AD_Obj_User? What is the desired output and the logic between the content and desired output?
If latter, what is the purpose of showing SPL?
It could be a permissions issue you need read the email address attribute ((&(objectClass=user)(objectCategory=person)(mail=*))) check the user permissions that is being used to pull the LDAP data, see your AD admin. Or run something like the below to check under that user account.
dsquery user -samid username | dsget user -email
If not, find out how it’s being populated, normally its done via the ldap search command see references below.
Check the ldap search that creates the lookup and you should have the data there, this may have been created already as a secluded search.
Reference:
Ldap Search using the command
https://docs.splunk.com/Documentation/SA-LdapSearch/3.0.8/User/Theldapsearchcommand