- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How do I only show certain values in a field?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm trying to group ldap log values. I have already listed them out from a comma separated value but, I'm having a hard time getting them the way I want them to display. I'm trying to create a new field and show just the CN
here is my query - sourcetype=mysearch user_ldap_user_attributes_memberOf=business_group1 | stats values(user_ldap_user_attributes_memberOf) as Group | makemv delim="," Group
here is my results-
CN=ExchangeUsers
OU=Groups
OU=business
DC=us
DC=ad
DC=corp
DC=com
CN=FAMS_Users
OU=Groups
OU=business
DC=us
DC=ad
DC=corp
DC=com
CN=EXCHANGE_ACTIVESYNC
OU=Dynagroups
OU=Enterprise Groups
DC=us
DC=ad
DC=corp
DC=com
CN=Tableau
OU=Groups
OU=business
DC=us
DC=ad
DC=corp
DC=com
CN=Web_Access
OU=Groups
OU=business
DC=us
DC=ad
DC=corp
DC=com
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
See of one of these give you what you're looking for
sourcetype=mysearch user_ldap_user_attributes_memberOf=business_group1 | stats values(user_ldap_user_attributes_memberOf) as Group | makemv delim="," Group | mvexpand Group | search Group="CN*"
*OR*
sourcetype=mysearch user_ldap_user_attributes_memberOf=business_group1 | stats values(user_ldap_user_attributes_memberOf) as Group | makemv delim="," Group | eval Group=mvfilter(Group, "CN=")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
See of one of these give you what you're looking for
sourcetype=mysearch user_ldap_user_attributes_memberOf=business_group1 | stats values(user_ldap_user_attributes_memberOf) as Group | makemv delim="," Group | mvexpand Group | search Group="CN*"
*OR*
sourcetype=mysearch user_ldap_user_attributes_memberOf=business_group1 | stats values(user_ldap_user_attributes_memberOf) as Group | makemv delim="," Group | eval Group=mvfilter(Group, "CN=")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The first query worked like a charm. The second gave me an error "The arguments to the 'mvfilter' function are invalid."
Thanks! I was WAY over thinking it
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
