Splunk Search

ldapsearch through map command is blanking out the rest of my table except for it's own output

fdevera
Path Finder

1st search works (I get all fields in my table including GUID):

 

earliest=-1y index=azuread sourcetype="ms:aad:audit" category=DirectoryManagement (activityDisplayName="CreateTrustFrameworkPolicy" OR activityDisplayName="Add unverified domain" OR activityDisplayName="Add verified domain" OR activityDisplayName="Set federation settings on domain" OR activityDisplayName="Get tenant details" OR activityDisplayName="Initialize tenant" OR activityDisplayName="Create company" OR activityDisplayName="Create program")
| fillnull value=”N/A”
| rex field=initiatedBy.user.userPrincipalName "ex(?<GUID>\d+)z\@"
| table activityDateTime, activityDisplayName, operationType, targetResources{}.displayName, targetResources{}.modifiedProperties{}.displayName, targetResources{}.modifiedProperties{}.oldValue, targetResources{}.modifiedProperties{}.newValue, initiatedBy.user.userPrincipalName, GUID

 

2nd search works (I get cn from map command by itself):

 

earliest=-1y index=azuread sourcetype="ms:aad:audit" category=DirectoryManagement (activityDisplayName="CreateTrustFrameworkPolicy" OR activityDisplayName="Add unverified domain" OR activityDisplayName="Add verified domain" OR activityDisplayName="Set federation settings on domain" OR activityDisplayName="Get tenant details" OR activityDisplayName="Initialize tenant" OR activityDisplayName="Create company" OR activityDisplayName="Create program")
| rex field=initiatedBy.user.userPrincipalName "ex(?<GUID>\d+)z\@"
| fillnull value=”N/A”
| map search="ldapsearch domain=DEFAULT search=\"(&(objectClass=user)(qcguid=$GUID$))\" attrs=cn"
| table cn

 

3rd search combining the two searches blanks out my table but properly shows cn field obtained from map:

 

earliest=-1y index=azuread sourcetype="ms:aad:audit" category=DirectoryManagement (activityDisplayName="CreateTrustFrameworkPolicy" OR activityDisplayName="Add unverified domain" OR activityDisplayName="Add verified domain" OR activityDisplayName="Set federation settings on domain" OR activityDisplayName="Get tenant details" OR activityDisplayName="Initialize tenant" OR activityDisplayName="Create company" OR activityDisplayName="Create program")
| rex field=initiatedBy.user.userPrincipalName "ex(?<GUID>\d+)z\@"
| fillnull value=”N/A”
| map search="ldapsearch domain=DEFAULT search=\"(&(objectClass=user)(qcguid=$GUID$))\" attrs=cn"
| table activityDateTime, activityDisplayName, operationType, targetResources{}.displayName, targetResources{}.modifiedProperties{}.displayName, targetResources{}.modifiedProperties{}.oldValue, targetResources{}.modifiedProperties{}.newValue, initiatedBy.user.userPrincipalName, GUID,cn

 

How do fix this? Append, appendcols, join? Any idea?

Thanks!

Labels (6)
Tags (1)
0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...