My search is not returning any results..
index=_internal source="/opt/splunk/var/log/splunk/metrics.log*" sourcetype="splunkd" fwdType="*"
[|inputlookup Servers.csv | return 9999 $name]
| dedup sourceHost
| table hostname, sourceHost
| search [| ldapsearch basedn="OU=ABC,OU=Servers,OU=SMG,DC=ZZZ,DC=COM" search="(&(objectClass=computer))" attrs="name,distinguishedName" | table name | sort name | outputlookup Servers.csv]
Here was my logic which doesn't work (brain is fried for the day):
Does that seem correct?
You can do a join, I use it to compare hosts in AD to Splunk for missing ones
| ldapsearch search="(&(objectClass=user)(&(objectClass=computer)))"
| table cn lastLogon description
| join type=left cn [
| inputlookup dmc_forwarder_assets | search os=Windows | table hostname, status, arch, last_connected
| rename hostname AS cn]
| eval epoch1day_ago=relative_time(now(), "-1d@d" )
| where (last_connected < epoch1day_ago OR isnull(last_connected) )
| eval last_connected=strftime('last_connected', "%c")
| table cn,lastLogon,description,arch,last_connected,status
Assuming that the list of servers returned from the LDAP is a subset of the list of servers that are forwarding, you can use the LDAP to limit your search like this:
index=_internal source="/opt/splunk/var/log/splunk/metrics.log*" sourcetype="splunkd" fwdType="*"
[| ldapsearch basedn="OU=ABC,OU=Servers,OU=SMG,DC=ZZZ,DC=COM" search="(&(objectClass=computer))" attrs="name,distinguishedName" | dedup name | table name | rename name AS sourceHost ]
| dedup sourceHost
| table hostname, sourceHost
There really is no reason to save this out to a lookup, at least no reason that you have given.
Your search, as explained, benefits not at all from the ldapseaech
. As you have explained it (and attempted to implement), the base search is neither (usefully) qualified (limited) by the ldapsearch, nor is any extra host-related information added to the events from the ldapseach. So just skip the ldapsearch entirely.
The ldapsearch query is pulling back all the hosts for a certain OU, and then I want to search the list of hosts to see if they're "talking"/reporting to Splunk. As @somesoni2 mentioned, having a scheduled search keep the host list updated would be a great alternative.
Why don't you run your ldapsearch query separately, as scheduled search, to generate lookup and then just use it in your regular search? I don't think it will be necessary but you can schedule the ldapsearch query to run more frequently if your server list can change rather frequently.