I tried this query to get all the members of a particular LDAP group:
| rest /servicesNS/nobody/system/admin/LDAP-groups|search title="SPLUNK-group-name"
|dedup title|fields users| rex field=users "CN=(?[^,]+)"|table user
| mvexpand user
|join realname[|rest /services/authentication/users splunk_server=local|search realname=*|table title]
user title
john abcd
sam abcd
nike abcd
rams abcd
My desired result should look like this: I should get unique ID associated with each member.
user title
john abcd
sam efgh
nike ijkl
rams mnop
I tried to replace the * with 'user' in the above query:
join realname[|rest /services/authentication/users splunk_server=local|search realname=user|table title]
but I'm not able to get any results — showing as no results. Can anyone please help with this?
Thanks,
Bhaskara.
DO NOT USE JOIN. Try this:
| rest /servicesNS/nobody/system/admin/LDAP-groups
| search title="WHATEVER"
| dedup title
| fields users| rex field=users "CN=(?<user>[^,]+)"
| table user
| mvexpand user
| appendpipe
[| rest /services/authentication/users splunk_server=local
| search realname=*
| rename title as user
| table user realname]
| stats values(*) AS * BY user
Does this work for you:
| rest /servicesNS/nobody/system/admin/LDAP-groups
| search title="WHATEVER"
| dedup title
| fields users| rex field=users "CN=(?<user>[^,]+)"
| table user
| mvexpand user
| join user type=outer
[| rest /services/authentication/users splunk_server=local
| search realname=*
| rename title as user
| table user realname]
All the best