I'm using the inactive users macro for example and I have a particular OU i'd like to ignore. I'd prefer to do it in the ldapsearch itself but if it must be done with the data that's present in Splunk after the search that will work as well. The macro below is default with the exception of adding the "distinguishedName" attribute to the table and ldap "attrs". I've tried various things with the ldapsearch itself and I think I'm hitting limitations of Microsoft's LDAP implementation. Once the data is returned to Splunk it seems like I should be able to filter out anything that contains "distinguishedName=OU=offendingou". If anyone has any ideas please let me know. Thanks.
ldapsearch domain="$domain$" search="(&(objectclass=user)(!(objectclass=computer))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))" attrs="sAMAccountName,cn,userPrincipalName,userAccountControl,distinguishedName"
|join type=outer sAMAccountName [search eventtype=msad-successful-user-logons dest_nt_domain="$domain$"|stats max(_time) as lastLogonTime by user|rename user as sAMAccountName]|where isnull(lastLogonTime) | table sAMAccountName,cn,userPrincipalName,userAccountControl,distinguishedName
... View more