All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to modify the built in macro to exclude a particular OU?

jms112080
New Member
‎04-23-2018 04:44 PM

I'm using the inactive users macro for example and I have a particular OU i'd like to ignore. I'd prefer to do it in the ldapsearch itself but if it must be done with the data that's present in Splunk after the search that will work as well. The macro below is default with the exception of adding the "distinguishedName" attribute to the table and ldap "attrs". I've tried various things with the ldapsearch itself and I think I'm hitting limitations of Microsoft's LDAP implementation. Once the data is returned to Splunk it seems like I should be able to filter out anything that contains "distinguishedName=OU=offendingou". If anyone has any ideas please let me know. Thanks.

ldapsearch domain="$domain$" search="(&(objectclass=user)(!(objectclass=computer))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))" attrs="sAMAccountName,cn,userPrincipalName,userAccountControl,distinguishedName"

|join type=outer sAMAccountName [search eventtype=msad-successful-user-logons dest_nt_domain="$domain$"|stats max(_time) as lastLogonTime by user|rename user as sAMAccountName]|where isnull(lastLogonTime) | table sAMAccountName,cn,userPrincipalName,userAccountControl,distinguishedName

0 Karma
Reply

adonio
Ultra Champion
‎04-23-2018 06:17 PM

hope i understand your question,
try to add a NOT after the eventtype=msad-successful-user-logons
something like this:

ldapsearch domain="$domain$" search="(&(objectclass=user)(!(objectclass=computer))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))" attrs="sAMAccountName,cn,userPrincipalName,userAccountControl,distinguishedName" 
|join type=outer sAMAccountName [search eventtype=msad-successful-user-logons NOT ("distinguishedName=offendingou OR OU=offendingou") dest_nt_domain="$domain$"|stats max(_time) as lastLogonTime by user|rename user as sAMAccountName]|where isnull(lastLogonTime) | table sAMAccountName,cn,userPrincipalName,userAccountControl,distinguishedName

first try the subsearch first to make sure it ignores the OU

index = YOUR_WINDOWS_AD_INDEX eventtype=msad-successful-user-logons NOT ("distinguishedName=offendingou OR OU=offendingou")

hope it helps

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

A Guide To Cloud Migration Success

As enterprises’ rapid expansion to the cloud continues, IT leaders are continuously looking for ways to focus ...

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...