Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

ldapsearch: Trying to search last 2 days in whenChanged attribute dynamically.

mafruma
Explorer
‎09-05-2023 02:39 PM

I need to run a daily ldap search that will grab only the accounts that have change in the last 2 days. I can hard code a data into the whenChanged attribute. 

 

 

 

 

| ldapsearch search="(&(objectClass=user)(whenChanged>=20230817202220.0Z)(!(objectClass=computer)))" 
|table cn whenChanged whenCreated

 

 

 

 

I am trying to make whenChanged into a last 2 days variable that will work with ldap search. 

I can create a whenChanged using:

 

 

 

|makeresults |eval whenChanged=strftime(relative_time(now(),"-2d@d"),"%Y%m%d%H%M%S.0Z")|fields - _time

 

 

 

 

I could use the help getting that dynamic value into the ldap search so that I am looking for the >= values of whenChanged

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

etoombs
Path Finder
‎09-06-2023 05:49 PM

I don't have ldap search set up, so I can't test - but give this a try:

| makeresults
| eval relativedate=strftime(relative_time(now(),"-2d@d"),"%Y%m%d%H%M%S.0Z")
| map search="| ldapsearch search=\"(&(objectClass=user)(whenChanged>=$relativedate$)(!(objectClass=computer)))\" "
| table cn whenChanged whenCreated

View solution in original post

Reply
Solved! Jump to solution

etoombs
Path Finder
‎09-05-2023 04:31 PM

You're most of the way there -- In your original search, replace the date you have with [] and put your make results in it. The items in the brackets run before the remainder of the search. 

| ldapsearch search="(&(objectClass=user)(whenChanged>=[|makeresults |eval whenChanged=strftime(relative_time(now(),"-2d@d"),"%Y%m%d%H%M%S.0Z")|return $whenChanged])(!(objectClass=computer)))" 
|table cn whenChanged whenCreated

 

0 Karma
Reply
Solved! Jump to solution

mafruma
Explorer
‎09-06-2023 09:44 AM

Your solution make sense but I am still getting this error when I try to run the search. 

External search command 'ldapsearch' returned error code 1. Script output = "error_message=invalid filter ".

 

 

0 Karma
Reply
Solved! Jump to solution

mafruma
Explorer
‎09-06-2023 09:53 AM

Digging into the job inspector, it looks like the subsearch is not actually running before the ldapsearch runs. 

0 Karma
Reply
Solved! Jump to solution
Solution

etoombs
Path Finder
‎09-06-2023 05:49 PM

I don't have ldap search set up, so I can't test - but give this a try:

| makeresults
| eval relativedate=strftime(relative_time(now(),"-2d@d"),"%Y%m%d%H%M%S.0Z")
| map search="| ldapsearch search=\"(&(objectClass=user)(whenChanged>=$relativedate$)(!(objectClass=computer)))\" "
| table cn whenChanged whenCreated

Reply
Solved! Jump to solution

mafruma
Explorer
‎09-07-2023 09:59 AM

Wow... This worked! Thank you very much. This has been a journey. 

Looks like I just need to shorten my relative time to avoid the max results and timeouts for the "map" function but that is totally worth it. 

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...