Splunk cannot work against ‘nisNetGroupTriple’. That type of group is specifically intended to control who can log into a set of hosts, and as you note the format includes hostname and domain name.
The way authentication works, the user's login is validated first - then a selected value from the user's own entry is extracted from that entry. This value is used to identify which other groups contain that user. You can read more about this approach here: http://ldapman.org/authentication
Unfortunately, there is no value in the user's entry that would match the format used in the nisNetGroupTriple.
We do support the other formats from the NIS / LDAP RFCs:
objectClass=rfc822MailGroup
objectClass=posixGroup
... Or any other group whose members are stored either as a login name, email address, or full DN.
... View more