Splunk Search

ldapfilter does not return all attributes

Engager

I'm trying to  use Splunk to return a list of records that have been modified in our LDAP since a particular datetime.

There are certain attributes that I know exist in LDAP (e.g., weillCornellEduEndDate), and I can retrieve when using ldapsearch but that don't appear when I use ldapfilter (which I have to use; see previous sentence).

 

This works:

 

* | head 1 | eval x = "z" | table x
| eval timestamp = "20200914213812Z"
| ldapfilter domain=ED-people search="(&(objectClass=top)(|(modifyTimestamp>=$timestamp$)(createTimestamp>=$timestamp$)))" attrs="objectClass,cn,mail,title,o,sn,givenName"
| table *

 

 

 

 

 

 

Screen Shot 2020-09-15 at 5.34.39 PM.png

 

This does NOT work:

 

* | head 1 | eval x = "z" | table x
| eval timestamp = "20200914213812Z"
| ldapfilter domain=ED-people search="(&(objectClass=top)(|(modifyTimestamp>=$timestamp$)(createTimestamp>=$timestamp$)))" attrs="objectClass,cn,mail,title,o,sn,givenName,weillCornellEduEndDate"
| table *

 

 

 

 

 

 

Screen Shot 2020-09-15 at 5.35.02 PM.png

Nor does this....

 

* | head 1 | eval x = "z" | table x
| eval timestamp = "20200914213812Z"
| ldapfilter domain=ED-people search="(&(objectClass=top)(|(modifyTimestamp>=$timestamp$)(createTimestamp>=$timestamp$)))" attrs="*"
| table *

 

 

 

 

 

 

Screen Shot 2020-09-15 at 5.35.25 PM.png

 

I'm using Splunk 7.2.9.1 and SA-LDAPSearch.

Here's the error code in the logs.

09-15-2020 17:46:29.177 ERROR script - sid:1600206382.183889 External search command 'ldapfilter' returned error code 1. Script output = "error_message=Invalid attribute types in attrs list: weillCornellEduEndDate\r\n\r\n".

Labels (1)
0 Karma