- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Querying AD accounts and email addresses
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Querying AD accounts and email addresses
I am able to pull my AD users account information successfully except for their email addresses. What am I doing wrong? Apologize since I am still learning.
| inputlookup AD_Obj_User WHERE domain="mydomain"
| fields domain, sAMAccountName, userAccountControl, uac_details,domain, distinguishedName, mail, whenChanged,whenCreated
| table domain, sAMAccountName, userAccountControl, uac_details,domain, distinguishedName, mail, whenChanged,whenCreated
| eval uac_details=replace(mvjoin(uac_details,":"),"([\r\n]+)",":")
| makemv delim=":" uac_details
| search [| makeresults | eval uac_details=replace("#empty#,#empty#,#empty#,#empty#,#empty#,#empty#,#empty#,#empty#,#empty#,#empty#,#empty#,#empty#,#empty#,#empty#","#empty#","")
| makemv delim="," uac_details
| eval mfilt_uac=mvfilter(match(uac_details,"^\w+"))
| eval search=if(isnull(mfilt_uac),"","uac_details=\"".mvjoin(mfilt_uac,"\" AND uac_details=\"")."\"")
| table search]
| sort 0 sAMAccountName
| rename sAMAccountName AS "user", uac_details AS userAccountControl_Details- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The First Law of asking an answerable question states:
Present your dataset (anonymize as needed), illustrate desired output from illustrated dataset, explain the logic between illustrated dataset and desired output. (Without SPL.)
If attempted SPL does not give desired output, also illustrate actual output (anonymize as needed), then explain its difference from desired results if it is not painfully clear.
I am able to pull my AD users account information successfully except for their email addresses.
Can you explain from which source are you pulling AD info? Your SPL only uses a lookup file. Do you mean
- lookup table AD_Obj_User contains email addresses but the illustrated SPL does not output them, or
- your effort to populate AD_Obj_User fails to obtain email addresses from a legitimate AD source (as @deepakc speculated)?
If former, what is the purpose of the SPL? What is the content of AD_Obj_User? What is the desired output and the logic between the content and desired output?
If latter, what is the purpose of showing SPL?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It could be a permissions issue you need read the email address attribute ((&(objectClass=user)(objectCategory=person)(mail=*))) check the user permissions that is being used to pull the LDAP data, see your AD admin. Or run something like the below to check under that user account.
dsquery user -samid username | dsget user -email
If not, find out how it’s being populated, normally its done via the ldap search command see references below.
Check the ldap search that creates the lookup and you should have the data there, this may have been created already as a secluded search.
Reference:
Ldap Search using the command
https://docs.splunk.com/Documentation/SA-LdapSearch/3.0.8/User/Theldapsearchcommand
Enter the Splunk Community Dashboard Challenge for Your Chance to Win!
.conf24 | Session Scheduler is Live!!
Introducing the Splunk Community Dashboard Challenge!
