I'm using the inactive users macro for example and I have a particular OU i'd like to ignore. I'd prefer to do it in the ldapsearch itself but if it must be done with the data that's present in Splunk after the search that will work as well. The macro below is default with the exception of adding the "distinguishedName" attribute to the table and ldap "attrs". I've tried various things with the ldapsearch itself and I think I'm hitting limitations of Microsoft's LDAP implementation. Once the data is returned to Splunk it seems like I should be able to filter out anything that contains "distinguishedName=OU=offendingou". If anyone has any ideas please let me know. Thanks.
ldapsearch domain="$domain$" search="(&(objectclass=user)(!(objectclass=computer))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))" attrs="sAMAccountName,cn,userPrincipalName,userAccountControl,distinguishedName"
|join type=outer sAMAccountName [search eventtype=msad-successful-user-logons dest_nt_domain="$domain$"|stats max(_time) as lastLogonTime by user|rename user as sAMAccountName]|where isnull(lastLogonTime) | table sAMAccountName,cn,userPrincipalName,userAccountControl,distinguishedName
hope i understand your question,
try to add a NOT
after the eventtype=msad-successful-user-logons
something like this:
ldapsearch domain="$domain$" search="(&(objectclass=user)(!(objectclass=computer))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))" attrs="sAMAccountName,cn,userPrincipalName,userAccountControl,distinguishedName"
|join type=outer sAMAccountName [search eventtype=msad-successful-user-logons NOT ("distinguishedName=offendingou OR OU=offendingou") dest_nt_domain="$domain$"|stats max(_time) as lastLogonTime by user|rename user as sAMAccountName]|where isnull(lastLogonTime) | table sAMAccountName,cn,userPrincipalName,userAccountControl,distinguishedName
first try the subsearch first to make sure it ignores the OU
index = YOUR_WINDOWS_AD_INDEX eventtype=msad-successful-user-logons NOT ("distinguishedName=offendingou OR OU=offendingou")
hope it helps