Splunk® Supporting Add-on for Active Directory

Deploy and Use the Splunk Supporting Add-on for Active Directory (SA-LDAPSearch)

Download manual as PDF

Download topic as PDF

The ldapfetch command

Overview

The 'ldapfetch' command filters and augments events with information from Active Directory. It follows a 'search' or similar command in the pipeline so you can feed it events. A sample usage follows:

|ldapsearch domain="SPL" search="(objectclass=group)" attrs="memberOf" |mvexpand memberOf |ldapfetch dn=memberOf attrs="cn,description"

There are several possible arguments:

Argument Description
dn=<field-name> Specifies the field that holds the Distinguished Name (DN) to fetch.
attrs=<attribute-names> Specifies a comma-delimited list of attributes to return as fields.
domain=<domain> Specifies the name of a configuration stanza in ldap.conf. If you do not specify a domain, the command uses the default stanza.
debug=<boolean> Specifies whether or not ldapfetch should write debug log data. When set to T, specifies that debug logging should occur.
logging_level=(CRITICAL|ERROR|WARNING|INFO|DEBUG) Specifies the logging level for the $SPLUNK_HOME/var/log/splunk/SA-ldapsearch.log file. Splunk can access this file with the "index=_internal sourcetype=SA-ldapsearch" search and exposes the following fields:

File: Full pathname of the source file where the logging call was made.
Level: Level of the logging call that was made; one of CRITICAL, ERROR, WARNING, INFO, or DEBUG.
Line: Line number in the source file where the logging call was made.
Pid: ID of the process that made the logging call.
log_source: String of the form "Pid=<Pid>, File=<File>, Line=<Line>".
message: Full text of the logged message.

ldapfetch writes its debug logs to $SPLUNK_HOME/var/log/splunk/SA-ldapsearch.log. Splunk indexes and rotates this file by default.

On return, ldapfetch adds the LDAP attributes specified by the attrs argument to each event, based on an LDAP fetch operation. It uses the dn field to determine the LDAP record to fetch.

If you do not specify the dn, then ldapfetch uses the distinguishedName field name.

Examples

To list all Organizational Units (OU), together with any Group Policy Objects (GPOs) linked to them:

|ldapsearch domain=SPL search="(objectclass=organizationalUnit)" attrs="ou,description,gPLink,gPOptions" |sort ou |rex field=gPLink max_match=10 "\[LDAP://(?<gpo>[^;]+);\d+\]" |ldapfetch dn=gpo attrs=displayname |table ou,description,displayname |rename ou as "Name", displayname as "Linked GPO"

PREVIOUS
The ldapfilter command
  NEXT
The ldapgroup command

This documentation applies to the following versions of Splunk® Supporting Add-on for Active Directory: 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6, 2.1.7, 2.1.8, 2.2.0, 2.2.1


Comments

This REALLY needs an explanation as to how it is different from this:
http://docs.splunk.com/Documentation/SA-LdapSearch/latest/User/Theldapfiltercommand

Woodcock
January 29, 2016

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters