- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Splunk Support for Active Directory: Why does our ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
We are trying to pull a full list of identities from Active Directory to use with Enterprise Security. We are using the following search:
| ldapsearch basedn="OU=,Users,DC=,DC=" search="(objectClass=user)" | table * | outputlookup ldap_identities.csv
We've run this search manually and have also scheduled a report to run over night, however, the searches never finish. There are no errors being reported on the page or in SA-ldapsearch.log, it just seems that the search never completes.
Does anyone know of a more efficient search that will pull a large amount of data from AD?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In case anyone was experiencing a similar issue - we made use of the "attrs" field and now the search finishes just fine.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In case anyone was experiencing a similar issue - we made use of the "attrs" field and now the search finishes just fine.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Did you hide your base DN details in purpose?
| ldapsearch basedn="OU=,Users,DC=,DC=" search="(objectClass=user)"
Otherwise you are missing information there:
| ldapsearch basedn="OU=Users,DC=domain,DC=com" search="(objectClass=user)"
Also keep in mind that if you don't specify the domain name it will try the default one.
When you run the query above from the GUI, does it return anything at all?
Another comment would be around the use of outputlookup. Are you planning to use this csv later on with the lookup command or do you just simply want to output that as a csv? If the latter, it might be better to use outputcsv.
Hope that helps.
Thanks,
J
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Javiergn,
Thanks for the suggestions -
Yep base DN details were purposely removed from the thread 🙂 and we are using the default domain.
We have been using the GUI and we only see "No results yet found" and the search continues to run for hours. It looks as if it never completes.
For right now we just want to output as a csv - we tried using outputcsv but are getting the same results.
I've also tried looking at SA-LDAPSearch.log but there are no indications of any errors.
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics!
New in Observability Cloud - Explicit Bucket Histograms
