Here is part of two raw log messages
"memberOf=CN=AU-SG NAT_ClientReadyApp,OU=UniversalGroups,OU=Groups,DC=au,DC=tworld,DC=GHY,DC=com|CN=AU-SG APC_DKGS_Users,OU=UniversalGroups,OU=Groups,DC=us,DC=tworld,DC=tmgs,DC=com|CN=AU-SG Citrix XenDesktop DTS Users,OU=GlobalGroups,OU=Groups,DC=au,DC=tworld,DC=GHY,DC=com|CN=AU-SG GHY Users,OU=GlobalGroups,OU=Groups,DC=au,DC=tworld,DC=GHY,DC=com"
"memberOf=CN=AU-SG NAT_ClientReadyApp,OU=UniversalGroups,OU=Groups,DC=au,DC=tworld,DC=GHY,DC=com|CN=AU-SG APC_DKGS_Users,OU=UniversalGroups,OU=Groups,DC=us,DC=tworld,DC=tmgs,DC=com|CN=AU-SG Citrix XenDesktop DTS Users,OU=GlobalGroups,OU=Groups,DC=au,DC=tworld,DC=GHY,DC=com|CN=AU-SG GHY Users,OU=GlobalGroups,OU=Groups,DC=au,DC=tworld,DC=GHY,DC=com|CN=AU-SG Desktop DTS Users,OU=GlobalGroups,OU=Groups,DC=au,DC=tworld,DC=GHY,DC=com"
I was want extract a multivalued field with by getting all the values of CNs and search time ( preferably in SPL)
For the first message "memberOf" field should be
memberOf= AU-SG NAT_ClientReadyApp
AU-SG APC_DKGS_Users
AU-SG Citrix XenDesktop DTS Users
For the second message, "memberOf" field should be
memberOf= AU-SG NAT_ClientReadyApp
AU-SG APC_DKGS_Users
AU-SG Citrix XenDesktop DTS Users
AU-SG Desktop DTS Users
Hi smehmood,
what's exactly your need?
If your need is to extract all CNs and show a string with "memberOf= " and after all CNs of each message, try something like this (sorry I used a regex! but rex is an SPL command!)
index=my_index sourcetype=my_sourcetype
| rex "CN\=(?<my_CN>[^,]*)" max_match=0
| nomv my_CN
| eval my_CN="memberOf= "+my_CN
| table my_CN
result is
my_CN
memberOf= AU-SG NAT_ClientReadyApp AU-SG APC_DKGS_Users AU-SG Citrix XenDesktop DTS Users AU-SG GHY Users AU-SG Desktop DTS Users
memberOf= AU-SG NAT_ClientReadyApp AU-SG APC_DKGS_Users AU-SG Citrix XenDesktop DTS Users AU-SG GHY Users
Bye.
Giuseppe