Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

ldapsearch: Trying to search last 2 days in whenChanged attribute dynamically.

mafruma
Explorer
‎09-05-2023 02:39 PM

I need to run a daily ldap search that will grab only the accounts that have change in the last 2 days. I can hard code a data into the whenChanged attribute. 

 

 

 

 

| ldapsearch search="(&(objectClass=user)(whenChanged>=20230817202220.0Z)(!(objectClass=computer)))" 
|table cn whenChanged whenCreated

 

 

 

 

I am trying to make whenChanged into a last 2 days variable that will work with ldap search. 

I can create a whenChanged using:

 

 

 

|makeresults |eval whenChanged=strftime(relative_time(now(),"-2d@d"),"%Y%m%d%H%M%S.0Z")|fields - _time

 

 

 

 

I could use the help getting that dynamic value into the ldap search so that I am looking for the >= values of whenChanged

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

etoombs
Path Finder
‎09-06-2023 05:49 PM

I don't have ldap search set up, so I can't test - but give this a try:

| makeresults
| eval relativedate=strftime(relative_time(now(),"-2d@d"),"%Y%m%d%H%M%S.0Z")
| map search="| ldapsearch search=\"(&(objectClass=user)(whenChanged>=$relativedate$)(!(objectClass=computer)))\" "
| table cn whenChanged whenCreated

View solution in original post

Reply
Solved! Jump to solution

etoombs
Path Finder
‎09-05-2023 04:31 PM

You're most of the way there -- In your original search, replace the date you have with [] and put your make results in it. The items in the brackets run before the remainder of the search. 

| ldapsearch search="(&(objectClass=user)(whenChanged>=[|makeresults |eval whenChanged=strftime(relative_time(now(),"-2d@d"),"%Y%m%d%H%M%S.0Z")|return $whenChanged])(!(objectClass=computer)))" 
|table cn whenChanged whenCreated

 

0 Karma
Reply
Solved! Jump to solution

mafruma
Explorer
‎09-06-2023 09:44 AM

Your solution make sense but I am still getting this error when I try to run the search. 

External search command 'ldapsearch' returned error code 1. Script output = "error_message=invalid filter ".

 

 

0 Karma
Reply
Solved! Jump to solution

mafruma
Explorer
‎09-06-2023 09:53 AM

Digging into the job inspector, it looks like the subsearch is not actually running before the ldapsearch runs. 

0 Karma
Reply
Solved! Jump to solution
Solution

etoombs
Path Finder
‎09-06-2023 05:49 PM

I don't have ldap search set up, so I can't test - but give this a try:

| makeresults
| eval relativedate=strftime(relative_time(now(),"-2d@d"),"%Y%m%d%H%M%S.0Z")
| map search="| ldapsearch search=\"(&(objectClass=user)(whenChanged>=$relativedate$)(!(objectClass=computer)))\" "
| table cn whenChanged whenCreated

Reply
Solved! Jump to solution

mafruma
Explorer
‎09-07-2023 09:59 AM

Wow... This worked! Thank you very much. This has been a journey. 

Looks like I just need to shorten my relative time to avoid the max results and timeouts for the "map" function but that is totally worth it. 

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...