Splunk Search

ldapsearch through map command is blanking out the rest of my table except for it's own output

fdevera
Path Finder

1st search works (I get all fields in my table including GUID):

 

earliest=-1y index=azuread sourcetype="ms:aad:audit" category=DirectoryManagement (activityDisplayName="CreateTrustFrameworkPolicy" OR activityDisplayName="Add unverified domain" OR activityDisplayName="Add verified domain" OR activityDisplayName="Set federation settings on domain" OR activityDisplayName="Get tenant details" OR activityDisplayName="Initialize tenant" OR activityDisplayName="Create company" OR activityDisplayName="Create program")
| fillnull value=”N/A”
| rex field=initiatedBy.user.userPrincipalName "ex(?<GUID>\d+)z\@"
| table activityDateTime, activityDisplayName, operationType, targetResources{}.displayName, targetResources{}.modifiedProperties{}.displayName, targetResources{}.modifiedProperties{}.oldValue, targetResources{}.modifiedProperties{}.newValue, initiatedBy.user.userPrincipalName, GUID

 

2nd search works (I get cn from map command by itself):

 

earliest=-1y index=azuread sourcetype="ms:aad:audit" category=DirectoryManagement (activityDisplayName="CreateTrustFrameworkPolicy" OR activityDisplayName="Add unverified domain" OR activityDisplayName="Add verified domain" OR activityDisplayName="Set federation settings on domain" OR activityDisplayName="Get tenant details" OR activityDisplayName="Initialize tenant" OR activityDisplayName="Create company" OR activityDisplayName="Create program")
| rex field=initiatedBy.user.userPrincipalName "ex(?<GUID>\d+)z\@"
| fillnull value=”N/A”
| map search="ldapsearch domain=DEFAULT search=\"(&(objectClass=user)(qcguid=$GUID$))\" attrs=cn"
| table cn

 

3rd search combining the two searches blanks out my table but properly shows cn field obtained from map:

 

earliest=-1y index=azuread sourcetype="ms:aad:audit" category=DirectoryManagement (activityDisplayName="CreateTrustFrameworkPolicy" OR activityDisplayName="Add unverified domain" OR activityDisplayName="Add verified domain" OR activityDisplayName="Set federation settings on domain" OR activityDisplayName="Get tenant details" OR activityDisplayName="Initialize tenant" OR activityDisplayName="Create company" OR activityDisplayName="Create program")
| rex field=initiatedBy.user.userPrincipalName "ex(?<GUID>\d+)z\@"
| fillnull value=”N/A”
| map search="ldapsearch domain=DEFAULT search=\"(&(objectClass=user)(qcguid=$GUID$))\" attrs=cn"
| table activityDateTime, activityDisplayName, operationType, targetResources{}.displayName, targetResources{}.modifiedProperties{}.displayName, targetResources{}.modifiedProperties{}.oldValue, targetResources{}.modifiedProperties{}.newValue, initiatedBy.user.userPrincipalName, GUID,cn

 

How do fix this? Append, appendcols, join? Any idea?

Thanks!

Labels (6)
Tags (1)
0 Karma
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...