Splunk® Supporting Add-on for Active Directory

Deploy and Use the Splunk Supporting Add-on for Active Directory (SA-LDAPSearch)

The ldapfilter command


The ldapfilter command filters and augments events with information from Active Directory. It follows a 'search' or similar command in the pipeline so you can feed it events. A sample usage follows

eventtype=msad-successful-user-logons |ldapfilter domain=$dest_nt_domain$ search="(objectClass=$src_user$)" attrs="telephoneNumber,displayName"

There are several possible arguments:

Argument Description
search=<search-filter> Specifies the LDAP or Active Directory domain to search.
domain=<domain> Specifies the LDAP or Active Directory domain to search.
search=<search-filter> Specifies the RFC 2254-compliant search string.
basedn=<search-base> Specifies a search base as the starting point instead of the default as set in the ldap configuration stanza identified by domain.
attrs=<attribute-names> Specifies a comma-delimited list of attributes to return as fields.
debug=<boolean> Specifies whether or not ldapfilter should write debug log data. When set to T, specifies that debug logging should occur.
logging_level=(CRITICAL|ERROR|WARNING|INFO|DEBUG) Specifies the logging level for the $SPLUNK_HOME/var/log/splunk/SA-ldapsearch.log file. Splunk can access this file with the "index=_internal sourcetype=SA-ldapsearch" search and exposes the following fields:

File: Full pathname of the source file where the logging call was made.
Level: Level of the logging call that was made; one of CRITICAL, ERROR, WARNING, INFO, or DEBUG.
Line: Line number in the source file where the logging call was made.
Pid: ID of the process that made the logging call.
log_source: String of the form "Pid=<Pid>, File=<File>, Line=<Line>".
message: Full text of the logged message.

ldapfilter writes its debug logs to $SPLUNK_HOME/var/log/splunk/SA-ldapsearch.log. Splunk indexes and rotates this file by default.

On return, ldapfilter adds the LDAP attributes specified by the attrs argument to each event based on an LDAP search. It uses the domain and search fields to determine the LDAP search to perform. You can substitute variables by surrounding field names with dollar signs. For example, $src_user$


To return the display name and telephone number for all successful logons:

search eventtype=msad-successful-user-logons |stats count by src_user,dest_nt_domain |ldapfilter domain=$dest_nt_domain$ search="(sAMAccountNAme=$src_user$)" attrs="telephoneNumber,displayName" |table src_user,dest_nt_domain,displayName,telephoneNumber,count

To print a list of all Organization Units (OU) that have linked GPOs and fetch the displayName of the GPO:

|ldapsearch domain=MYDOMAIN search="(objectclass=organizationalUnit)" attrs="ou,description,gPLink,gPOptions" |sort ou |rex field=gPLink max_match=10 "\[LDAP:\/\/(?<gpo>[^;]+);\d+\]" |ldapfilter debug=T domain="{ctx}$gpo$" search="(distinguishedName=$gpo$)" attrs="cn,displayName" |table ou,cn,displayName

Important: You must specify the search, domain and attrs fields for ldapfilter to work properly.

Last modified on 18 July, 2024
The ldapsearch command   The ldapfetch command

This documentation applies to the following versions of Splunk® Supporting Add-on for Active Directory: 3.0.8

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters