Splunk Search

user ldap results in my search

chadman
Path Finder

I have an ldap search that pulls computers from active directory group and works great. something like:

|ldapsearch domain=domaingoeshere search=(&(objectClass=computer)(memberof="cn=mygroup,domaindoeshere)) attrs="name"

I have another search that will work great with one computer name that looks like:

sourcetype=patchlog host=servername | eventstats latest(_time) as TIME | where _time = TIME |dedup TIME |table name DateTime Status

How can I make this work with one search for every computer listed in my first ldap search? So instead of having the host=servname it will use the list of computers from my first search. The ldap search will output server names like server1 server2 server3 etc.

0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi,
You could use the first search as subsearch of the Second but it Will be very slow.
The best solution is to schedule first search to populate a lookup (first search and the outputlookup Command).
Then use lookup in the second search, something like this
sourcetype=patchlog [ | inputlookup my_lookup.csv | fields host ]
| eventstats latest(_time) as TIME
| where _time = TIME
|dedup TIME
|table name DateTime Status host

Bye.
Giuseppe

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi,
You could use the first search as subsearch of the Second but it Will be very slow.
The best solution is to schedule first search to populate a lookup (first search and the outputlookup Command).
Then use lookup in the second search, something like this
sourcetype=patchlog [ | inputlookup my_lookup.csv | fields host ]
| eventstats latest(_time) as TIME
| where _time = TIME
|dedup TIME
|table name DateTime Status host

Bye.
Giuseppe

chadman
Path Finder

I cant get the output to work. I believe this is because of the multiple search heads we have in our infrastructure. That's why I was trying to do this in one search without using an output.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Search heads automatically align lookups,to use ldap search is possible but slow.
Bye.
Giuseppe

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...