This question was superseded by the excellent SA-ldapsearch application, so I'll mark it as answered. Here's the basic gist of how we're dumping our AD asset lookup, hopefully somebody finds it useful:
| ldapsearch domain=CONTOSO search="(objectClass=computer)"
| eval priority=case(match(memberOf, "(?i)production"), "critical",
match(memberOf, "(?i)disaster_recovery"), "high",
match(memberOf, "(?i)test"), "medium",
1=1, "low")
| eval category="contoso"
| eval cn=lower(cn)
| eval dns=toString(cn) + ".contoso.com"
| eval bunit=case(match(distinguishedName, "(?i)ou=mgmt"), "Management",
match(distinguishedName, "(?i)ou=sales"), "Sales",
match(distinguishedName, "(?i)ou=it"), "Information Technology",
match(distinguishedName, "(?i)ou=legal"), "Legal",
1=1, "Contoso")
| eval lat=case(match(memberOf, match(memberOf, "(?i)disaster_recovery"), 21.30694,
1=1, 38.8895)
| eval long=case(match(memberOf, "(?i)disaster_recovery"), -157.85833,
1=1, -77.0352)
| eval city=case(match(memberOf, "(?i)disaster_recovery"), "Honolulu, HI",
1=1, "Washington, DC")
| eval country="USA"
| eval category = category + "|"
| eval category = category + case(match(operatingSystem, "(?i)windows\sserver"), "server|windows",
match(operatingSystem, "(?i)windows"), "workstation|windows",
match(operatingSystem, "(?i)RHEL") OR match(operatingSystem, "(?i)RedHat") OR match(operatingSystem, "(?i)CentOS") OR match(operatingSystem, "(?i)RedHat") OR match(operatingSystem, "(?i)unknown"),"server|linux",
match(operatingSystem, "(?i)SunOS"), "server|solaris",
1=1, "device|unknown")
| eval os=trim(lower(operatingSystem))
| eval os=trim(replace(os, "windows", ""))
| eval os=trim(replace(os, "server", ""))
| eval osver=trim(lower(operatingSystemServicePack))
| eval ossp=trim(lower(operatingSystemVersion))
| eval category=if(isNotNull(os) AND os!="unknown", toString(category) + "|" + toString(os), category)
| eval category=if(isNotNull(osver) AND os!="unknown", toString(category) + "|" + toString(osver), category)
| eval category=if(isNotNull(ossp) AND os!="unknown", toString(category) + "|" + toString(ossp), category)
| eval category=if(match(distinguishedName, "(?i)ou=domain\scontroller"), toString(category) + "|domain_controller", category)
| eval category=if(match(distinguishedName, "(?i)ou=laptops"), toString(category) + "|laptop", category)
| eval category=if(match(distinguishedName, "(?i)ou=desktop"), toString(category) + "|desktop", category)
| eval category=if(match(distinguishedName, "(?i)ou=linux") AND match(distinguishedName, "(?i)splunk"), toString(category) + "|splunk", category)
| eval category=if(match(distinguishedName, "(?i)ou=linux") AND match(distinguishedName, "(?i)log"), toString(category) + "|log", category)
| eval category=if(match(memberOf, "(?i)production"), toString(category) + "|production", category)
| eval category=if(match(memberOf, "(?i)test"), toString(category) + "|test", category)
| eval category=if(match(memberOf, "(?i)disaster_recovery"), toString(category) + "|disaster_recovery", category)
| eval category=if(match(servicePrincipalName, "(?i)MSClusterVirtualServer"), toString(category) + "|cluster_object", category)
| eval category=if(strptime(lastLogonTimestamp, "%Y/%m/%d %H:%M:%S %Z")>relative_time(now(),"-30d@d"), toString(category) + "|account_active", category + "|account_inactive")| eval should_update="TRUE"
| eval should_timesync="FALSE"
| eval requires_av=case(match(operatingSystem, "(?i)windows"), "TRUE",
1=1, "FALSE")
| eval is_expected=case(match(category, "(?i)splunk") OR match(category, "(?i)log") OR match(category, "(?i)domain_controller"), "TRUE", 1=1, "FALSE")
| ldapfetch dn=managedBy attrs=mail
| table ip,mac,cn,dns,mail,priority,lat,long,city,country,bunit,category,pci_domain,is_expected,should_timesync,should_update,requires_av,description,location,patchgroup,operatingSystem,operatingSystemServicePack,operatingSystemVersion, lastLogonTimestamp
| rename cn AS nt_host, mail AS owner, operatingSystem AS os, location AS ad_location, description AS ad_description, operatingSystemServicePack AS ad_operatingSystemServicePack, lastLogonTimestamp AS ad_lastLogonTimestamp
| outputlookup ad_assets
... View more