Refine your search:

Trim an entry for field extraction

2

how would I take an entry like this.

Member ID: CN=Test audit,OU=Users,OU=Office,OU=State,DC=domain,DC=local

and make it look like this....

Test audit

In a report generated in an e-mail? I'd like to trim it up.

Here's my original search

source="WinEventLog:Security" OR source="WinEventLog:Application" OR source="WinEventLog:system" EventCode "632" OR "633" OR "660" OR "661" OR "636" OR "637" "Domain Admins" OR "Account Operators" OR "Administrators" OR "Backup Operators" OR "Guests" OR "Network Configuration Operators" OR "Print Operators" OR "Remote Desktop Users" OR "Server Operators" OR "Users" OR "DNSAdmins" OR "DnsUpdateProxy" OR "Domain Guests" OR "Enterprise Admins" OR "Group Policy Creator Owners" OR "Schema Admins" |convert ctime(_time) AS Time | table Time,User,Target_Account_Name,Member_Name,Added_Removed | rename User to "Change Made By", Target_Account_Name to "Global Group", Member_Name to "Account Affected", Added_Removed to "Status" | rex "CN=(?[^,]+),"

asked 04 Feb '11, 19:57

bshuford's gravatar image

bshuford
739
accept rate: 0%

edited 07 Feb '11, 17:10

2 Answers:
oldestnewestmost voted
3

Have you tried with a rex field extraction? 

| rex "CN=(?<out>[^,]+),"
link

answered 06 Feb '11, 22:29

Paolo%20Prigione's gravatar image

Paolo Prigione
2.0k2317
accept rate: 38%

That works, too. Way easier. =P

(06 Feb '11, 23:19) Ron Naken

bshuford, please post your full search in your original question instead of putting it in a comment for readability. (Use the "edit" link under your question at the top.) Also, you could try adding "field" to your rex command, like so: rex field=Member_ID "CN=(?<out>[^,]+), but that shouldn't be necessary unless "CN=" appears multiple times in your event.

(07 Feb '11, 16:28) Lowell ♦

CN= does appear twice. I did already try rex field=Member_Name "CN=(?<out>[^,]+), that didn't work either. That's exactly what I was thinking.

(07 Feb '11, 17:12) bshuford
2

Given your sample data, this will create a field called out that has a value of Test audit.

... | eval tmp=split(myfield, ",") | eval out=substr(mvfilter(match(tmp,"CN=")),15)
link

answered 04 Feb '11, 22:09

Ron%20Naken's gravatar image

Ron Naken
4.1k3427
accept rate: 38%

OK, I get this, but it's not working. Here is what I put in the end of my search

| eval tmp=split(Target_Account_Name, ",") | eval out=substr(mvfilter(match(tmp,"CN=")),15)

What am I doing wrong?

(06 Feb '11, 13:42) bshuford

OH, the other question is, what is the 15? Counting 15 Characters from the CN=? If so what if the name is longer?

(06 Feb '11, 13:43) bshuford

Not sure, but the rex solution Paolo provided would be much easier.

(06 Feb '11, 23:22) Ron Naken
Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×536

Asked: 04 Feb '11, 19:57

Seen: 1,412 times

Last updated: 07 Feb '11, 17:10

Related questions

Field extraction

Field Extraction - Trim Existing Field

Field extraction

splunk 4.1.4 not transforming an apache access log

Trim field for operations

Field extraction into multivalue field

Multi XML Field Extraction

Field extraction problems

field extraction regex

Copyright © 2005-2012 Splunk Inc. All rights reserved.