All Apps and Add-ons

How do I create a lookup with ldapsearch and use the lookup within the same search?

dpanych
Communicator

My search is not returning any results..

index=_internal source="/opt/splunk/var/log/splunk/metrics.log*" sourcetype="splunkd" fwdType="*"
 [|inputlookup Servers.csv | return 9999 $name] 
| dedup sourceHost 
| table hostname, sourceHost
| search [| ldapsearch basedn="OU=ABC,OU=Servers,OU=SMG,DC=ZZZ,DC=COM" search="(&(objectClass=computer))" attrs="name,distinguishedName" | table name | sort name | outputlookup Servers.csv]

Here was my logic which doesn't work (brain is fried for the day):

  1. ldapsearch queries ldap for the list of host names and creates a lookup
  2. The lookup is then used in the beginning of the search to find all hosts that are reporting to Splunk.

Does that seem correct?

0 Karma

Simon_Mantell
Engager

You can do a join, I use it to compare hosts in AD to Splunk for missing ones

| ldapsearch search="(&(objectClass=user)(&(objectClass=computer)))" 
| table cn lastLogon description
| join type=left cn [
| inputlookup dmc_forwarder_assets | search os=Windows | table hostname, status, arch, last_connected
| rename hostname AS cn]
| eval epoch1day_ago=relative_time(now(), "-1d@d" ) 
| where (last_connected < epoch1day_ago OR isnull(last_connected) )
| eval last_connected=strftime('last_connected', "%c") 
| table cn,lastLogon,description,arch,last_connected,status
0 Karma

woodcock
Esteemed Legend

Assuming that the list of servers returned from the LDAP is a subset of the list of servers that are forwarding, you can use the LDAP to limit your search like this:

index=_internal source="/opt/splunk/var/log/splunk/metrics.log*" sourcetype="splunkd" fwdType="*"
[| ldapsearch basedn="OU=ABC,OU=Servers,OU=SMG,DC=ZZZ,DC=COM" search="(&(objectClass=computer))" attrs="name,distinguishedName" | dedup name | table name | rename name AS sourceHost ] 
| dedup sourceHost 
| table hostname, sourceHost

There really is no reason to save this out to a lookup, at least no reason that you have given.

0 Karma

woodcock
Esteemed Legend

Your search, as explained, benefits not at all from the ldapseaech. As you have explained it (and attempted to implement), the base search is neither (usefully) qualified (limited) by the ldapsearch, nor is any extra host-related information added to the events from the ldapseach. So just skip the ldapsearch entirely.

0 Karma

dpanych
Communicator

The ldapsearch query is pulling back all the hosts for a certain OU, and then I want to search the list of hosts to see if they're "talking"/reporting to Splunk. As @somesoni2 mentioned, having a scheduled search keep the host list updated would be a great alternative.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Why don't you run your ldapsearch query separately, as scheduled search, to generate lookup and then just use it in your regular search? I don't think it will be necessary but you can schedule the ldapsearch query to run more frequently if your server list can change rather frequently.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...