- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- ldap seach with a wildcard
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a search below that works fine, but I would like to add a wildcard to it.
This search works
| ldapsearch domain=mydomain.com search=(&(objectClass=computer)(memberOf="CN=Patch1, OU=Patches,OU=Wintel,DC=Mydomain,DC=com)) attrs=name
I would like to do something like below, but it does not show any results with the wildcard.
| ldapsearch domain=mydomain.com search=(&(objectClass=computer)(memberOf="CN=Patch*, OU=Patches,OU=Wintel,DC=Mydomain,DC=com)) attrs=name
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey Chadman,
Try something like this:
search="(CN=Patch*)"
and keep adding to if that is working in your environment.
Or you can get a bit more creative (not sure if this will work for you, you may want to try creating a Lookup that you can pull the data from, to search):
| ldapsearch domain=mydomain.com search=objectClass=computer | search memberOf="(CN=Patch*, OU=Patches,OU=Wintel,DC=Mydomain,DC=com)"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This issue has been resolved: https://docs.splunk.com/Documentation/SA-LdapSearch/2.2.1/User/ReleaseNotes#Fixed_issues
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey Chadman,
Try something like this:
search="(CN=Patch*)"
and keep adding to if that is working in your environment.
Or you can get a bit more creative (not sure if this will work for you, you may want to try creating a Lookup that you can pull the data from, to search):
| ldapsearch domain=mydomain.com search=objectClass=computer | search memberOf="(CN=Patch*, OU=Patches,OU=Wintel,DC=Mydomain,DC=com)"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hos_2,
That does kind of work, but how can I do something like below to narrow down the search?
search="(CN=Patch*)(OU=Wintel)"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I believe you need to use the and filtercomp "&". Still learning myself, but might try:
search=(&(CN=Patch*)&(OU=Wintel))
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Maybe something like this?
search memberOf="CN=Patch*" AND memberOf=(OU=Patches,OU=Wintel,DC=Mydomain,DC=com)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Cant get that to work, syntax might be wrong. I have tried a couple variations. I also tried to add basedn=(OU=Patches,OU=Wintel,DC=Mydomain,DC=com) thinking that would limit the scope of my search, but it's not.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yeah we had similar issues with the data, our work around was to just gather everything in a lookup daily, then run searches off the lookup tables.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks. I might look into that also. I was hopping to avoid having another process to create the lookup table. I also posted another question similar, but without wild cards.
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
