The ldapgroup command
The 'ldapgroup' command filters and augments events with information from Active Directory. It follows a 'search' or similar command in the pipeline so that you can feed it events. A sample usage follows:
|ldapsearch domain=SPL search="(objectClass=group)"|ldapgroup
There are several possible arguments:
|groupdn=<field-name>||Specifies the field to use as the distinguished name of the group to expand.|
|domain=<domain>||Specifies the name of a configuration stanza in ldap.conf. If you do not specify a domain, the command uses the default stanza.|
|debug=<boolean>||Specifies whether or not ldapgroup should write debug log data. When set to T, specifies that debug logging should occur.|
|logging_level=(CRITICAL|ERROR|WARNING|INFO|DEBUG)||Specifies the logging level for the $SPLUNK_HOME/var/log/splunk/SA-ldapsearch.log file. Splunk can access this file with the "index=_internal sourcetype=SA-ldapsearch" search and exposes the following fields:
File: Full pathname of the source file where the logging call was made.
ldapgroup writes its debug logs to $SPLUNK_HOME/var/log/splunk/SA-ldapsearch.log. Splunk indexes and rotates this file by default.
Once it completes execution,
ldapgroup adds five additional fields to each event:
|member_dn||The list of Member Distinguished Names (DNs).|
|member_domain||The NetBIOS domain(s) for the member DN(s).|
|member_name||The sAMAccountName (SAM account name) for the member DN(s).|
|member_type||The type of membership (one of PRIMARY, DIRECT or NESTED with the group DN).|
|mv_combo||all of the above, combined into a single field separated by ###.|
To display a table of all groups with their members and membership type:
|ldapsearch domain=SPL search="(objectClass=group)"|table cn,distinguishedName|ldapgroup|table cn,member_dn,member_type
The ldapfetch command
The ldaptestconnection command
This documentation applies to the following versions of Splunk® Supporting Add-on for Active Directory: 3.0.6
Feedback submitted, thanks!