Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Community
- :
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- ldapsearch through map command is blanking out the...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ldapsearch through map command is blanking out the rest of my table except for it's own output
fdevera
Path Finder
02-03-2021
12:32 PM
1st search works (I get all fields in my table including GUID):
earliest=-1y index=azuread sourcetype="ms:aad:audit" category=DirectoryManagement (activityDisplayName="CreateTrustFrameworkPolicy" OR activityDisplayName="Add unverified domain" OR activityDisplayName="Add verified domain" OR activityDisplayName="Set federation settings on domain" OR activityDisplayName="Get tenant details" OR activityDisplayName="Initialize tenant" OR activityDisplayName="Create company" OR activityDisplayName="Create program")
| fillnull value=”N/A”
| rex field=initiatedBy.user.userPrincipalName "ex(?<GUID>\d+)z\@"
| table activityDateTime, activityDisplayName, operationType, targetResources{}.displayName, targetResources{}.modifiedProperties{}.displayName, targetResources{}.modifiedProperties{}.oldValue, targetResources{}.modifiedProperties{}.newValue, initiatedBy.user.userPrincipalName, GUID
2nd search works (I get cn from map command by itself):
earliest=-1y index=azuread sourcetype="ms:aad:audit" category=DirectoryManagement (activityDisplayName="CreateTrustFrameworkPolicy" OR activityDisplayName="Add unverified domain" OR activityDisplayName="Add verified domain" OR activityDisplayName="Set federation settings on domain" OR activityDisplayName="Get tenant details" OR activityDisplayName="Initialize tenant" OR activityDisplayName="Create company" OR activityDisplayName="Create program")
| rex field=initiatedBy.user.userPrincipalName "ex(?<GUID>\d+)z\@"
| fillnull value=”N/A”
| map search="ldapsearch domain=DEFAULT search=\"(&(objectClass=user)(qcguid=$GUID$))\" attrs=cn"
| table cn
3rd search combining the two searches blanks out my table but properly shows cn field obtained from map:
earliest=-1y index=azuread sourcetype="ms:aad:audit" category=DirectoryManagement (activityDisplayName="CreateTrustFrameworkPolicy" OR activityDisplayName="Add unverified domain" OR activityDisplayName="Add verified domain" OR activityDisplayName="Set federation settings on domain" OR activityDisplayName="Get tenant details" OR activityDisplayName="Initialize tenant" OR activityDisplayName="Create company" OR activityDisplayName="Create program")
| rex field=initiatedBy.user.userPrincipalName "ex(?<GUID>\d+)z\@"
| fillnull value=”N/A”
| map search="ldapsearch domain=DEFAULT search=\"(&(objectClass=user)(qcguid=$GUID$))\" attrs=cn"
| table activityDateTime, activityDisplayName, operationType, targetResources{}.displayName, targetResources{}.modifiedProperties{}.displayName, targetResources{}.modifiedProperties{}.oldValue, targetResources{}.modifiedProperties{}.newValue, initiatedBy.user.userPrincipalName, GUID,cn
How do fix this? Append, appendcols, join? Any idea?
Thanks!
Get Updates on the Splunk Community!
.conf23 Registration is Now Open!
Time to toss the .conf-etti 🎉 — .conf23 registration is open!
Join us in Las Vegas July 17-20 for ...
Don't wait! Accept the Mission Possible: Splunk Adoption Challenge Now and Win ...
Attention everyone! We have exciting news to share! We are recruiting new members for the Mission Possible: ...
Unify Your SecOps with Splunk Mission Control
In today’s post, I'm excited to share some recent Splunk Mission Control innovations. With Splunk Mission ...
