All Apps and Add-ons

using ldapsearch, ldapfetch to augment searchresults

dominiquevocat
Motivator

I would like to fetch attributes from our metadirectory for any number of reasons

with the splunk support app ldap commands it is basically possible to query ldap and it sort of works

so doing
mysearch |ldapfilter domain=meta-intg search="(&(objectClass=inetOrgPerson)(cn=$CN$))" attrs="description,fullname,dn"

gives a table view with the attribute values as fields but i don't see the fields in the fields explorer sidebar and i can't use the fields in any subsequent command like table etc or augment them to the log entries.

What am i doing wrong?

ps: there is a small issue hence the filter else i get results but also a "size limit exceeded" resulting in zero results.

0 Karma

howyagoin
Contributor

I'm having the same problem, and the workaround described at:

http://answers.splunk.com/answers/94160/ldapfilter-unable-use-fields-returned-by-ldapfilter-in-subse...

Does seem to work, but it creates ugly/inconsistent results. I don't see where the fields are multi-value, and doing an export to JSON/CSV/XML confirms this, but without doing this series of eval statements, I can't get data in a table either.

0 Karma

mrflibbleuk
New Member

Hi,

I am having the same issue as outlined in the original question. Was the solution to this ever identified?

0 Karma

dominiquevocat
Motivator

This might very well be the thing... 😞

0 Karma

ahall_splunk
Splunk Employee
Splunk Employee

The field names are not the same as you type - they are the "official" names - remember that field names are case sensitive. For example, dn is actually called "distinguishedName" - dn is just an alias.

ahall_splunk
Splunk Employee
Splunk Employee

You are using it in the right way, so something else must be going on. On my 5.0.1 system, this results in the fields appearing in the side-bar. We also use table, etc. several times in the Splunk App for Active Directory, so that would break if this didn't work.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...