Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Extracting hostname from event and then checking presence of computer account in ActiveDirectory using extracted text

dmcinnis
New Member
‎11-29-2013 06:02 AM

Hi Everyone,

I have a question regarding looking up a extracted/generated field from splunk against active directory at search time.
The objective is as follows
1. Extract hostname from DHCP log
2. Check if hostname is present as a Computer object in AD
3. If not present, return hostname as a result

Do I have to extract all AD computer account objects and then put them in a CSV file to do a lookup against, or is it possible to compare the extracted hostnames against AD directly at search time using something like inline ldapsearch?

Any help would be greatly appreciated, I hope my search fu did not miss an answer to this kind of question already.

Many thanks
David.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

yannK
Splunk Employee
Splunk Employee
‎11-29-2013 09:45 AM

use a subsearch result to populate the search condition from the main search.

<main_search_conditions> [ search <subsearch_on_ldap> | dedup host | table host ]
| <end_of_my_mainsearch_processing>

The subsearch will return something in the format (host=A OR host=B OR host=C ...)
The timerange will be the same for both searches. You can specify manually in the search terms if different ranges are needed.

see http://docs.splunk.com/Documentation/Splunk/6.0/Search/Usesubsearchtocorrelateevents

View solution in original post

0 Karma
Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎11-29-2013 12:36 PM

It certainly is possible to perform a dynamic (scripted) lookup against any external source (such as Active Directory) rather than keeping the file up to date, or using a subsearch.

The subsearch as answered by yannK does solve your problem, provided you use the ldapsearch search command that is provided in the Splunk Support for AD app http://apps.splunk.com/app/1151/# It does have some limitations though.

If you did want a lookup, you would either keep the AD CSV file up-to-date, or you would build a dynamic lookup. Unfortunately the Splunk AD app doesn't include such a program. You can find out how to structure such a lookup program here: http://docs.splunk.com/Documentation/Splunk/6.0/Knowledge/Addfieldsfromexternaldatasources#Set_up_a_...

Reply
Solved! Jump to solution

dmcinnis
New Member
‎12-16-2013 05:08 AM

Many thanks, I messed up when marking answers so you should both get the nod for answering my question

0 Karma
Reply
Solved! Jump to solution
Solution

yannK
Splunk Employee
Splunk Employee
‎11-29-2013 09:45 AM

use a subsearch result to populate the search condition from the main search.

<main_search_conditions> [ search <subsearch_on_ldap> | dedup host | table host ]
| <end_of_my_mainsearch_processing>

The subsearch will return something in the format (host=A OR host=B OR host=C ...)
The timerange will be the same for both searches. You can specify manually in the search terms if different ranges are needed.

see http://docs.splunk.com/Documentation/Splunk/6.0/Search/Usesubsearchtocorrelateevents

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎11-29-2013 08:08 AM

you can use 'ldapfilter' command to query against LDAP in the search.

Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...