Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Extracting hostname from event and then checking presence of computer account in ActiveDirectory using extracted text

dmcinnis
New Member
‎11-29-2013 06:02 AM

Hi Everyone,

I have a question regarding looking up a extracted/generated field from splunk against active directory at search time.
The objective is as follows
1. Extract hostname from DHCP log
2. Check if hostname is present as a Computer object in AD
3. If not present, return hostname as a result

Do I have to extract all AD computer account objects and then put them in a CSV file to do a lookup against, or is it possible to compare the extracted hostnames against AD directly at search time using something like inline ldapsearch?

Any help would be greatly appreciated, I hope my search fu did not miss an answer to this kind of question already.

Many thanks
David.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

yannK
Splunk Employee
Splunk Employee
‎11-29-2013 09:45 AM

use a subsearch result to populate the search condition from the main search.

<main_search_conditions> [ search <subsearch_on_ldap> | dedup host | table host ]
| <end_of_my_mainsearch_processing>

The subsearch will return something in the format (host=A OR host=B OR host=C ...)
The timerange will be the same for both searches. You can specify manually in the search terms if different ranges are needed.

see http://docs.splunk.com/Documentation/Splunk/6.0/Search/Usesubsearchtocorrelateevents

View solution in original post

0 Karma
Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎11-29-2013 12:36 PM

It certainly is possible to perform a dynamic (scripted) lookup against any external source (such as Active Directory) rather than keeping the file up to date, or using a subsearch.

The subsearch as answered by yannK does solve your problem, provided you use the ldapsearch search command that is provided in the Splunk Support for AD app http://apps.splunk.com/app/1151/# It does have some limitations though.

If you did want a lookup, you would either keep the AD CSV file up-to-date, or you would build a dynamic lookup. Unfortunately the Splunk AD app doesn't include such a program. You can find out how to structure such a lookup program here: http://docs.splunk.com/Documentation/Splunk/6.0/Knowledge/Addfieldsfromexternaldatasources#Set_up_a_...

Reply
Solved! Jump to solution

dmcinnis
New Member
‎12-16-2013 05:08 AM

Many thanks, I messed up when marking answers so you should both get the nod for answering my question

0 Karma
Reply
Solved! Jump to solution
Solution

yannK
Splunk Employee
Splunk Employee
‎11-29-2013 09:45 AM

use a subsearch result to populate the search condition from the main search.

<main_search_conditions> [ search <subsearch_on_ldap> | dedup host | table host ]
| <end_of_my_mainsearch_processing>

The subsearch will return something in the format (host=A OR host=B OR host=C ...)
The timerange will be the same for both searches. You can specify manually in the search terms if different ranges are needed.

see http://docs.splunk.com/Documentation/Splunk/6.0/Search/Usesubsearchtocorrelateevents

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎11-29-2013 08:08 AM

you can use 'ldapfilter' command to query against LDAP in the search.

Reply
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

REGISTER NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If ...

Observability | Use Synthetic Monitoring for Website Metadata Verification

If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...