All Apps and Add-ons

trying LDAPFilter to correlate logs - getting error

ariswadkar
New Member

I'm trying to correlate user/department from AD against some security logs that contain username in "User_Name" . I'm doing some field extractions because that field is in the format domain\username and there isn't a field that I've seen in our AD based on LDAPsearch in that format. The query and the error that I'm getting are below. I haven't been able to find any information on this error.

host=<Host> | eval fld_username=if(substr(User_Name,1,len("Domain"))=="Domain",substr(User_Name,len("Domain\\")+1,len(User_Name)),"false")|ldapfilter domain=default search="(&(objectclass=user) (mailNickname=$fld_username$))" 

External search command 'ldapfilter' returned error code 1. Script output = " ERROR "00002120: SvcErr: DSID-031404AF, problem 5012 (DIR_ERROR), data 0 "

0 Karma

kalianov
Path Finder
  1. Update your APP "Splunk Supporting Add-on for Active Directory"

  2. Check your (eval fld_username=...) string without ldapfilter part

  3. Try this:
    | ldapfilter domain="default" search="(&(objectclass=user) (sAMAccountNAme=$fld_username$))"
    attrs="sAMAccountNAme,telephoneNumber,displayName,title,department" | streamstats count AS N
    |table N, _time, fld_username, displayName,title,department,tel,telephoneNumber

0 Karma

ariswadkar
New Member

I cleared the error because I was missing the attrs parameter. But the query you'd provided doesn't include some of the information that I'm looking for - particularly department.

This is what the query looks like now.

host=dgmc User_Name="DPCWL\*"| eval fld_username=substr(User_Name,len("DPCWL\\")+1,len(User_Name))|ldapfilter domain=default search="(&(objectclass=user) (mailNickname=$fld_username$)(!(objectClass=computer)))" attrs="mailNickname, department"
0 Karma

aaraneta_splunk
Splunk Employee
Splunk Employee

@ariswadkar - Is this search query you provided above the answer to your original question or was it intended as a comment/feedback to kalianov's answer? If yes--it is a working solution, please click "Accept" to resolve this question. If no, I can convert to your answer to a comment for better readability. Thanks.

0 Karma

ariswadkar
New Member

It's intended as a comment- it's not returning anything for department.

0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...