Getting Data In

Run external Linux command from within search.

westar
Engager

I need to run a shell script or Linux command inside my search to obtain external Ldap information. I have a UserID that I would like to associate to a full name using a Ldapsearch command passing the UserID from the search.

Tags (2)
1 Solution

the_wolverine
Champion

It can be done:

  • Write a script that queries LDAP for all the required attributes and convert the resultset to a csv file.

  • Configure a lookup for your source or sourcetype to query the csv file to match the userid to CN.

View solution in original post

the_wolverine
Champion

It can be done:

  • Write a script that queries LDAP for all the required attributes and convert the resultset to a csv file.

  • Configure a lookup for your source or sourcetype to query the csv file to match the userid to CN.

gkanapathy
Splunk Employee
Splunk Employee

You can either use a lookup script (follow Lowell's links) or create a custom search command. I would recommend the lookup script, and it sounds like it fits your use case best. An similar alternative that can perform better if you don't require live lookups is to periodically export the data en masse from the LDAP server, write it into a CSV file format into the appropriate location on the Splunk search server, and use a Splunk file lookup against this file.

Lowell
Super Champion

Sounds like you want to use an external lookup script. These have to be written in python, but you can use a simply python script to call the necessary ldap commands (via command line, or via python ldap modules). From there it's a simple matter of writing out a CSV file that contains your new output fields.

Helpful resources:

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...