Trying to get a basic search of Windows event data to cross reference with fields from ldapsearch. I'm wanting it to take the value of a field (like Account_Name) in a Windows event and use it as a token to run an ldapsearch and return the value of a particular field from AD (like an OU). Rinse and repeat for all the values from the Windows results.
I tried a join/append with the ldapsearch as the subsearch, and pondered creating a lookup table of the ldapsearch values. But we've got a very large environment (>140,000 users) that makes the subsearch/lookup-table enormous. Since the Windows search normally only returns a couple dozen events, the processing time of the ldapsearch to return all possible values completely kills the value of the search. I really need to be able to limit the ldapsearch to just he couple dozen main-search values.
How do I get <main-search with $tokenvalues$> to pass to | ldapsearch domain=mydomain search="$tokenvalues$"
↧