Hi,
Please find the query
| ldapsearch search="(&(objectCategory=group))" attrs="member;range0-1499" | table member;range0-1499.
Note: I am not getting empty in member attribute
Doing some tests myself, it seems that SA-ldapsearch doesn't properly handle attribute range retrieval with active directory. As @richgalloway suggests you should file a bug report for it.
On the plus side, given that range=0-1499
is the first retrieval set, and that ldapsearch generates a JSON event, and it seems to actually retrieve the range attribute... you can use spath to extract the ranged field, and grab it:
| ldapsearch search="(cn=ReallyBigGroup)" attrs="member" | spath | table "member;range=0-1499{}"
Obviously it doesn't work for any other ranges:
| ldapsearch search="(cn=ReallyBigGroup)" attrs="member;range=1500-*" | spath
Yields:
External search command 'ldapsearch' returned error code 1. Script output = "error_message=Invalid attribute types in attrs list: member;range=1500-* "
(which now i'm looking through the python script to figure out why it can't parse the attribute range)
EDIT: it doesn't help that it seems that the packaged version of the ldap3 library that's packaged is really old... version 0.9.5.3 which isn't a tagged version in github... 0.9.5.2 was released 4 years ago.
The first error seems to come from SA-ldapsearch/bin/packages/app/init.py:437
but then if you edit the code to bypass that you run smack into an error from: SA-ldapsearch/bin/packages/ldap3/operation/search.py:315
This is of course looking at SA-ldapsearch v2.1.6
Doing some tests myself, it seems that SA-ldapsearch doesn't properly handle attribute range retrieval with active directory. As @richgalloway suggests you should file a bug report for it.
On the plus side, given that range=0-1499
is the first retrieval set, and that ldapsearch generates a JSON event, and it seems to actually retrieve the range attribute... you can use spath to extract the ranged field, and grab it:
| ldapsearch search="(cn=ReallyBigGroup)" attrs="member" | spath | table "member;range=0-1499{}"
Obviously it doesn't work for any other ranges:
| ldapsearch search="(cn=ReallyBigGroup)" attrs="member;range=1500-*" | spath
Yields:
External search command 'ldapsearch' returned error code 1. Script output = "error_message=Invalid attribute types in attrs list: member;range=1500-* "
(which now i'm looking through the python script to figure out why it can't parse the attribute range)
EDIT: it doesn't help that it seems that the packaged version of the ldap3 library that's packaged is really old... version 0.9.5.3 which isn't a tagged version in github... 0.9.5.2 was released 4 years ago.
The first error seems to come from SA-ldapsearch/bin/packages/app/init.py:437
but then if you edit the code to bypass that you run smack into an error from: SA-ldapsearch/bin/packages/ldap3/operation/search.py:315
This is of course looking at SA-ldapsearch v2.1.6
Could you please use this query
| ldapsearch search="(&(objectCategory=group))" limit=1500 attrs="member" | table member
Also Please let us know if you looking for attrs=member0 attrs=member1............attrs=member1499 as range value
"member;range0-1499" is not a typical Splunk field name (semicolons and hyphens are not permitted). Verify the name using the query | ldapsearch search="(&(objectCategory=group))" attrs="member;range0-1499" | table *
.
Also, check the log file (SA-ldapsearch.log) to see if any errors were reported.
Hi , Thanks for your reply..
It sending error as
Invalid attribute.
But I can see member;range0-1499 in events.
I suspect the app can handle the member
attribute, but doesn't like the range
qualifier. You should probably contact Splunk support for assistance or to file a bug report.