I am asking a lot of questions today (obviously new to Splunk and in implementation...).
We do NOT use AD for Splunk authentication. What I would like to do is query a specific OU for a list of users, then use this list to search Security Event log of specific servers for logins.
Ultimately, we have vendors who are in an OU that restricts their access to specific servers. I would like to report on their activities weekly. These accounts change based on who we are working with from the vendor so by querying a specific OU, this would be dynamic as changes occur.
You could possibly do this with a external lookup script that mapped the users names to their OU, and subsearch on OU membership. The problem with this approach could be the amount of overhead doing the lookups.