Splunk Search

Performing an Splunk LDAP search from a field in an existing csv file

roayers
Explorer

Here is what I'm trying to accomplish. I have an csv file that I generated with an existing search that looks like this

IP,cn,Region,City,Country
"0.0.0.0",johndoe,somestate,"somecity","United States"

I'm trying to perform the ldap search using all of the cn field and append the results into a new table with additional ad values from the ldapsearch

My single ldap search is presently working properly
| ldapsearch domain=pa.lcl search="(cn=johndoe)" | table cn,title,displayName,employeeID,mail,company,department,extensionAttribute3,streetAddress,l,st,telephoneNumber,lastLogonTimestamp,lockoutTime,extensionAttribute15, | rename cn as "User ID", displayName as "Display Name", employeeID as "Employee Number", company as "Agency", department as "Department", mail as "Email" title as "Title", st as "State", streetAddress as "Street Address", l as "City", telephoneNumber as "Telephone Number", lastLogonTimestamp as "Last Logon", extensionAttribute15 as "VPN Group" extensionAttribute3 as "Deputate" lockoutTime as "LockOut Time"

Here is the output of that search data removed

User ID Title Display Name Employee Number Email Agency Department Deputate Street Address City State Telephone Number Last Logon LockOut Time VPN Group

Here are the fields from the ldap search that I want to add to the final table

cn,title,displayName,employeeID,mail,company,department,extensionAttribute3,streetAddress,l,st,telephoneNumber,lastLogonTimestamp,lockoutTime,extensionAttribute15, | rename cn as "User ID", displayName as "Display Name", employeeID as "Employee Number", company as "Agency", department as "Department", mail as "Email" title as "Title", st as "State", streetAddress as "Street Address", l as "City", telephoneNumber as "Telephone Number", lastLogonTimestamp as "Last Logon", extensionAttribute15 as "VPN Group" extensionAttribute3 as "Deputate" lockoutTime as "LockOut Time"

Can anyone help?

Thanks in advance.
Robert

0 Karma

sundareshr
Legend

Have you looked at the map command? I haven't tried this...

| inputlookup lookupfile.csv | table cn | map "search=| ldapsearch domain=pa.lcl search="(cn=$cn$)" | table cn,title,displayName,employeeID,mail,company,department,extensionAttribute3,streetAddress,l,st,telephoneNumber,lastLogonTimestamp,lockoutTime,extensionAttribute15" | rename cn as "User ID", displayName as "Display Name", employeeID as "Employee Number", company as "Agency", department as "Department", mail as "Email" title as "Title", st as "State", streetAddress as "Street Address", l as "City", telephoneNumber as "Telephone Number", lastLogonTimestamp as "Last Logon", extensionAttribute15 as "VPN Group" extensionAttribute3 as "Deputate" lockoutTime as "LockOut Time"

Map command does have certain limitations: https://docs.splunk.com/Documentation/Splunk/6.4.2/SearchReference/Map

0 Karma

leoevs
New Member

I try this solution and get the error:

[map]: External search command 'ldapsearch' returned error code 1. Script output = "error_message=invalid filter ".

when I remove "$" from $cn$, it fix error but no results in the search.
Can anyone Help?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

@leoevs This thread is nearly four years old. Please post a new question describing your problem.

---
If this reply helps you, Karma would be appreciated.
0 Karma

leoevs
New Member

Thanks for advise, but I found the problem.

Probably in version 8 the command map need the syntax "map cn" and quote breaks, in this case it looks like:

| inputlookup lookupfile.csv | table cn | map cn search="| ldapsearch domain=pa.lcl search=\"(cn=$cn$)\" | table cn,title,displayName,employeeID,mail,company,department,extensionAttribute3,streetAddress,l,st,telephoneNumber,lastLogonTimestamp,lockoutTime,extensionAttribute15" | rename cn as "User ID", displayName as "Display Name", employeeID as "Employee Number", company as "Agency", department as "Department", mail as "Email" title as "Title", st as "State", streetAddress as "Street Address", l as "City", telephoneNumber as "Telephone Number", lastLogonTimestamp as "Last Logon", extensionAttribute15 as "VPN Group" extensionAttribute3 as "Deputate" lockoutTime as "LockOut Time"

thanks
https://answers.splunk.com/answers/813606/combine-base-search-with-ldapsearch.html

0 Karma

roayers
Explorer

Thanks sundareshr. Ill let you know the outcome.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...