Splunk Search

ldap seach with a wildcard

chadman
Path Finder

I have a search below that works fine, but I would like to add a wildcard to it.

This search works
| ldapsearch domain=mydomain.com search=(&(objectClass=computer)(memberOf="CN=Patch1, OU=Patches,OU=Wintel,DC=Mydomain,DC=com)) attrs=name

I would like to do something like below, but it does not show any results with the wildcard.
| ldapsearch domain=mydomain.com search=(&(objectClass=computer)(memberOf="CN=Patch*, OU=Patches,OU=Wintel,DC=Mydomain,DC=com)) attrs=name

0 Karma
1 Solution

hos_2
Path Finder

Hey Chadman,

Try something like this:
search="(CN=Patch*)"

and keep adding to if that is working in your environment.

Or you can get a bit more creative (not sure if this will work for you, you may want to try creating a Lookup that you can pull the data from, to search):

| ldapsearch domain=mydomain.com search=objectClass=computer | search memberOf="(CN=Patch*, OU=Patches,OU=Wintel,DC=Mydomain,DC=com)"

View solution in original post

0 Karma

Eric_Mcknight
Explorer
0 Karma

hos_2
Path Finder

Hey Chadman,

Try something like this:
search="(CN=Patch*)"

and keep adding to if that is working in your environment.

Or you can get a bit more creative (not sure if this will work for you, you may want to try creating a Lookup that you can pull the data from, to search):

| ldapsearch domain=mydomain.com search=objectClass=computer | search memberOf="(CN=Patch*, OU=Patches,OU=Wintel,DC=Mydomain,DC=com)"

0 Karma

chadman
Path Finder

hos_2,
That does kind of work, but how can I do something like below to narrow down the search?
search="(CN=Patch*)(OU=Wintel)"

0 Karma

EdBruce
Explorer

I believe you need to use the and filtercomp "&". Still learning myself, but might try:

search=(&(CN=Patch*)&(OU=Wintel))

0 Karma

hos_2
Path Finder

Maybe something like this?

search memberOf="CN=Patch*" AND memberOf=(OU=Patches,OU=Wintel,DC=Mydomain,DC=com)

0 Karma

chadman
Path Finder

Cant get that to work, syntax might be wrong. I have tried a couple variations. I also tried to add basedn=(OU=Patches,OU=Wintel,DC=Mydomain,DC=com) thinking that would limit the scope of my search, but it's not.

0 Karma

hos_2
Path Finder

Yeah we had similar issues with the data, our work around was to just gather everything in a lookup daily, then run searches off the lookup tables.

0 Karma

chadman
Path Finder

Thanks. I might look into that also. I was hopping to avoid having another process to create the lookup table. I also posted another question similar, but without wild cards.

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...