Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Help with rex

zindain24
Path Finder
‎07-18-2012 08:51 AM

We are looking to create a multi field rex command to capture the following:
1. Firstname Lastname
2. OrgUnit

I am having trouble getting the "Firstname Lastname" to parse properly, here is what I have so far:
|rex field=_raw "(?) CN=(?[^,]+)"

Help is greatly appreciated!

Here is a raw event:
07/18/2012 09:00:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4728 EventType=0 Type=Information ComputerName=SERVERNAME.domain.com TaskCategory=Security Group Management OpCode=Info RecordNumber=1688571344 Keywords=Audit Success Message=A member was added to a security-enabled global group. Subject: Security ID: DOMAIN\test003 Account Name: test003 Account Domain: DOMAIN Logon ID: 0x6356e0a1e Member: Security ID: DOMAIN\LOGONID Account Name: CN=Firstname Lastname,OU=OrgUnit,OU=Non-Domain Users,OU=People,DC=company,DC=com Group: Security ID: DOMAIN\SD-INSTALL-ASSET_MANAGEMENT Group Name: GP-GROUP-GROUPNAME_MANAGEMENT Group Domain: DOMAIN Additional Information: Privileges: -

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎07-18-2012 09:00 AM

Splunk should already be extracting the OrgUnit as it is in field=value format. It will call the field OU, but you can set a field alias if you want a different name. The name is more of a problem, as it contains whitespace.

To extract them both:

 ... | rex field=_raw "CN=(?<cname>.+?),OU=(?<orgunit>\S+)"

To extract just the cname:

 ... | rex field=_raw "CN=(?<cname>.+?),"

View solution in original post

Reply
Solved! Jump to solution
Solution

lguinn2
Legend
‎07-18-2012 09:00 AM

Splunk should already be extracting the OrgUnit as it is in field=value format. It will call the field OU, but you can set a field alias if you want a different name. The name is more of a problem, as it contains whitespace.

To extract them both:

 ... | rex field=_raw "CN=(?<cname>.+?),OU=(?<orgunit>\S+)"

To extract just the cname:

 ... | rex field=_raw "CN=(?<cname>.+?),"
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...