|
Hello, I am still pretty new to Splunk. I have used the python active_directory module (http://timgolden.me.uk/python/active_directory.html) to run a query and return a list o users from a specific OU. This list changes, so I want to be able to pass in the usernames from the OU to a search. My question, is there a way to call this python script and grab the output to pass into a search WITHOUT having to run the search itself from Python? Essentially, I am grabbing a list of vendor accounts who have limited access to some of our systems remotely. What I want to do is dynamically grab a user name list and run a search for their logins on a Windows server. I am hoping to get this going quickly and would prefer using the GUI and report engine from Splunk rather than parse the XML return. Thanks for any suggestions. Kevin |
|
This typically is accomplished with a subsearch. Suppose you've defined a command that you can run (from the Web UI or CLI) as the following to give a list of LoginName fields: Then to parameterize another search by the output of this, you'd search: This search will be expanded to: An alternate solution would be to use a scripted lookup instead of a search command. This has the benefit of labeling all logins however you like (say with the OU). Also, if configured properly, you could search by OU transparently: Note that the Windows version of Splunk comes with an AD monitoring scripted input. This input lets it load the contents of the AD tree into Splunk so it can be queried via the Splunk search language directly, so you would use a subsearch command like `[ search sourcetype=ActiveDirectory OU=... | eval LoginName=sAMAccountName | fields LoginName ] instead of starting with your AD query script.
(26 Aug '10, 16:59)
gkanapathy ♦
|
