Solved: Run external Linux command from within search.

westar · ‎06-23-2010

I need to run a shell script or Linux command inside my search to obtain external Ldap information. I have a UserID that I would like to associate to a full name using a Ldapsearch command passing the UserID from the search.

the_wolverine · ‎06-24-2010

It can be done:

Write a script that queries LDAP for all the required attributes and convert the resultset to a csv file.
Configure a lookup for your source or sourcetype to query the csv file to match the userid to CN.

View solution in original post

the_wolverine · ‎06-24-2010

It can be done:

Write a script that queries LDAP for all the required attributes and convert the resultset to a csv file.
Configure a lookup for your source or sourcetype to query the csv file to match the userid to CN.

gkanapathy · ‎06-24-2010

You can either use a lookup script (follow Lowell's links) or create a custom search command. I would recommend the lookup script, and it sounds like it fits your use case best. An similar alternative that can perform better if you don't require live lookups is to periodically export the data en masse from the LDAP server, write it into a CSV file format into the appropriate location on the Splunk search server, and use a Splunk file lookup against this file.

Lowell · ‎06-23-2010

Sounds like you want to use an external lookup script. These have to be written in python, but you can use a simply python script to call the necessary ldap commands (via command line, or via python ldap modules). From there it's a simple matter of writing out a CSV file that contains your new output fields.

Helpful resources:

Run external Linux command from within search.

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms