Can you help me build a Splunk query to get all as...

bhaskarasplunk · ‎02-07-2019

I tried this query to get all the members of a particular LDAP group:

| rest /servicesNS/nobody/system/admin/LDAP-groups|search title="SPLUNK-group-name"
|dedup title|fields users| rex field=users "CN=(?[^,]+)"|table user
| mvexpand user
|join realname[|rest /services/authentication/users splunk_server=local|search realname=*|table title]

Result:

user title

john abcd

sam abcd

nike abcd

rams abcd

My desired result should look like this: I should get unique ID associated with each member.

user title

john abcd

sam efgh

nike ijkl

rams mnop

I tried to replace the * with 'user' in the above query:

 join realname[|rest /services/authentication/users splunk_server=local|search realname=user|table title]

but I'm not able to get any results — showing as no results. Can anyone please help with this?

Thanks,
Bhaskara.

woodcock · ‎02-07-2019

DO NOT USE JOIN. Try this:

| rest /servicesNS/nobody/system/admin/LDAP-groups 
| search title="WHATEVER" 
| dedup title 
| fields users| rex field=users "CN=(?<user>[^,]+)" 
| table user 
| mvexpand user 
| appendpipe
[| rest /services/authentication/users splunk_server=local 
 | search realname=* 
 | rename title as user
 | table user realname]
| stats values(*) AS * BY user

chrisyounger · ‎02-07-2019

Does this work for you:

| rest /servicesNS/nobody/system/admin/LDAP-groups 
| search title="WHATEVER" 
| dedup title 
| fields users| rex field=users "CN=(?<user>[^,]+)" 
| table user 
| mvexpand user 
| join user type=outer 
    [| rest /services/authentication/users splunk_server=local 
    | search realname=* 
    | rename title as user
    | table user realname]

All the best

Can you help me build a Splunk query to get all associated members (Username and UserId) of the LDAP group?

Result:

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life