Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

ldapsearch: Trying to search last 2 days in whenChanged attribute dynamically.

mafruma
Explorer
‎09-05-2023 02:39 PM

I need to run a daily ldap search that will grab only the accounts that have change in the last 2 days. I can hard code a data into the whenChanged attribute. 

 

 

 

 

| ldapsearch search="(&(objectClass=user)(whenChanged>=20230817202220.0Z)(!(objectClass=computer)))" 
|table cn whenChanged whenCreated

 

 

 

 

I am trying to make whenChanged into a last 2 days variable that will work with ldap search. 

I can create a whenChanged using:

 

 

 

|makeresults |eval whenChanged=strftime(relative_time(now(),"-2d@d"),"%Y%m%d%H%M%S.0Z")|fields - _time

 

 

 

 

I could use the help getting that dynamic value into the ldap search so that I am looking for the >= values of whenChanged

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

etoombs
Path Finder
‎09-06-2023 05:49 PM

I don't have ldap search set up, so I can't test - but give this a try:

| makeresults
| eval relativedate=strftime(relative_time(now(),"-2d@d"),"%Y%m%d%H%M%S.0Z")
| map search="| ldapsearch search=\"(&(objectClass=user)(whenChanged>=$relativedate$)(!(objectClass=computer)))\" "
| table cn whenChanged whenCreated

View solution in original post

Reply
Solved! Jump to solution

etoombs
Path Finder
‎09-05-2023 04:31 PM

You're most of the way there -- In your original search, replace the date you have with [] and put your make results in it. The items in the brackets run before the remainder of the search. 

| ldapsearch search="(&(objectClass=user)(whenChanged>=[|makeresults |eval whenChanged=strftime(relative_time(now(),"-2d@d"),"%Y%m%d%H%M%S.0Z")|return $whenChanged])(!(objectClass=computer)))" 
|table cn whenChanged whenCreated

 

0 Karma
Reply
Solved! Jump to solution

mafruma
Explorer
‎09-06-2023 09:44 AM

Your solution make sense but I am still getting this error when I try to run the search. 

External search command 'ldapsearch' returned error code 1. Script output = "error_message=invalid filter ".

 

 

0 Karma
Reply
Solved! Jump to solution

mafruma
Explorer
‎09-06-2023 09:53 AM

Digging into the job inspector, it looks like the subsearch is not actually running before the ldapsearch runs. 

0 Karma
Reply
Solved! Jump to solution
Solution

etoombs
Path Finder
‎09-06-2023 05:49 PM

I don't have ldap search set up, so I can't test - but give this a try:

| makeresults
| eval relativedate=strftime(relative_time(now(),"-2d@d"),"%Y%m%d%H%M%S.0Z")
| map search="| ldapsearch search=\"(&(objectClass=user)(whenChanged>=$relativedate$)(!(objectClass=computer)))\" "
| table cn whenChanged whenCreated

Reply
Solved! Jump to solution

mafruma
Explorer
‎09-07-2023 09:59 AM

Wow... This worked! Thank you very much. This has been a journey. 

Looks like I just need to shorten my relative time to avoid the max results and timeouts for the "map" function but that is totally worth it. 

0 Karma
Reply
Get Updates on the Splunk Community!

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...