Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to join REST & search results?

manderson7
Contributor
‎10-06-2022 06:53 AM

I'm really bad when it comes to join searches, though I've been doing this for years. 

I'm able to find the list of orphaned searches using:

 

| rest /servicesNS/-/-/admin/directory count=0 splunk_server=<splunkserver>
| rename eai:* as *, acl.* as * 
| eval updated=strptime(updated,"%Y-%m-%dT%H:%M:%S%Z"), updated=if(isnull(updated),"Never",strftime(updated,"%d %b %Y")) 
| sort type 
| eval sAMAccountName=owner 
| stats count by title orphaned sAMAccountName sharing type owner updated app disabled 
| search orphaned=1

 

and we have a summary index containing our LDAP users & managers for those users. Using the following search returns users and their managers:

 

index=metrics_summary source="LDAP*" source IN("LDAP GROUP USER DIVISION Summary Index Search" "LDAP_GROUP_USER_DIVISION_Summary_Index_Search" lookup_ldap_group_user_division) sAMAccountName=e* OR sAMAccountName=v* |table sAMAccountName displayName mail department division manager

 

But I haven't been able to join the two searches together to give me the manager name of the user w/ the orphan search. I've tried variations of the following:

 

| rest /servicesNS/-/-/admin/directory count=0 splunk_server=<splunkserver> 
| rename eai:* as *, acl.* as * 
| eval updated=strptime(updated,"%Y-%m-%dT%H:%M:%S%Z"), updated=if(isnull(updated),"Never",strftime(updated,"%d %b %Y")) 
| sort type 
| eval sAMAccountName=owner 
| stats count by title orphaned sAMAccountName sharing type owner updated app disabled 
| search orphaned=1
| join sAMAccountName type=outer max=0 
    [|search index=metrics_summary source="LDAP*" source IN("LDAP GROUP USER DIVISION Summary Index Search" "LDAP_GROUP_USER_DIVISION_Summary_Index_Search" lookup_ldap_group_user_division) 
| stats latest(_time) AS latest values(displayName) values(mail) values(distinguishedName) values(department) values(division) latest(userAccountControl) values(manager) by sAMAccountName 
| rename values(*) AS *, latest(*) AS *]

 

but this only comes back w/ results from the rest call. 

I know I get results using the summary index search. How do I merge these?

 

Thanks

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jdunlea
Contributor
‎10-06-2022 07:24 AM

How many results are you getting with the summary search? If it is more than 10k, then the subsearch will be limited to 10k results (if I remember correctly) and therefore you may be trimming the result set before doing the join. 

 

If you have more than 10k results from your summary index search, I recommend trying to swap the positions of the REST search and the summary search. So run the summary search first and do the REST search as the subsearch.

Also, you could try converting your sAMAccountName to lowercase in both searches to avoid case issues. Additionally, I recommend doing some sort of "stats .... by sAMAccountName" in your summary search in order to remove any possible duplicates which might be interfering with the join. 

View solution in original post

Reply
Solved! Jump to solution
Solution

jdunlea
Contributor
‎10-06-2022 07:24 AM

How many results are you getting with the summary search? If it is more than 10k, then the subsearch will be limited to 10k results (if I remember correctly) and therefore you may be trimming the result set before doing the join. 

 

If you have more than 10k results from your summary index search, I recommend trying to swap the positions of the REST search and the summary search. So run the summary search first and do the REST search as the subsearch.

Also, you could try converting your sAMAccountName to lowercase in both searches to avoid case issues. Additionally, I recommend doing some sort of "stats .... by sAMAccountName" in your summary search in order to remove any possible duplicates which might be interfering with the join. 

Reply
Solved! Jump to solution

manderson7
Contributor
‎10-06-2022 07:54 AM

That helped quite a bit, thanks. The somewhat final search came out to be:

| rest /servicesNS/-/-/admin/directory count=0 splunk_server=<splunkserver> 
| rename eai:* as *, acl.* as * 
| eval updated=strptime(updated,"%Y-%m-%dT%H:%M:%S%Z"), updated=if(isnull(updated),"Never",strftime(updated,"%d %b %Y")) 
| sort type 
| eval sAMAccountName=lower(owner) 
| stats count by title orphaned sAMAccountName sharing type owner updated app disabled 
| search orphaned=1
| join sAMAccountName
    [| search index=metrics_summary source="LDAP*" source IN("LDAP GROUP USER DIVISION Summary Index Search" "LDAP_GROUP_USER_DIVISION_Summary_Index_Search" lookup_ldap_group_user_division) sAMAccountName=e* OR sAMAccountName=v* NOT sAMAccountName=e-mail* userAccountControl=*ACCOUNTDISABLE* 
| eval sAMAccountName=lower(sAMAccountName) 
| stats latest(_time) AS latest values(displayName) values(mail) values(distinguishedName) values(department) values(division) latest(userAccountControl) values(manager) by sAMAccountName]

I needed to limit the results more in the subsearch. Thanks so much.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...