Splunk Search

How to form splunk query to split a field and make separate fields as per the maximum number of partitions?

smitapatankarso
Explorer

I have some strings like below returned by my splunk base search:

"CN=aa,OU=bb,DC=cc,DC=dd,DC=ee"
"CN=xx,OU=bb,DC=cc,DC=yy,DC=zz"
"CN=ff,OU=gg,OU=hh,DC=ii,DC=jj"
"CN=kk,DC=ll,DC=mm"

Note: CN,OU,DC could be 0 or many.

My ultimate goal is to find all OUs something like below.

(The combinations also need to be unique.)

(All blank lines can be excluded.)

eg:

bb     (blank)
gg      hh
(blank) (blank)

The query that am using currently is very naive.

Plus it is not generic.

It will work if atleast one of my split results into 5 parts (0,1,2,3,4).

But, it will not work and give blank results if none of my split results into 5 parts (0,1,2,3,4) i.e. all of them result in less than 5 parts.

index=xx sourcetype=yy
| fields s
| rex field=s mode=sed "s/,DC=.*//g"
| eval temp=split(s,",OU=")
| eval a=mvindex(temp,1)
| eval b=mvindex(temp,2)
| eval c=mvindex(temp,3)
| eval d=mvindex(temp,4)
| dedup a b c d
| table a,b,c,d

How to make it generic i.e. get the count of split and make fields as per maximum split length?

0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

I couldn't come up with a generic way to put each OU in a separate field. I think I have a decent equivalent, however. It shows the unique sets of OUs.

index=xx sourcetype=yy
| fields s
| rex field=s max_match=0 "OU=(?<OU>[^,]+)"
| eval OUs=mvjoin(OU, ",")
| dedup OUs
| table OUs
---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

I couldn't come up with a generic way to put each OU in a separate field. I think I have a decent equivalent, however. It shows the unique sets of OUs.

index=xx sourcetype=yy
| fields s
| rex field=s max_match=0 "OU=(?<OU>[^,]+)"
| eval OUs=mvjoin(OU, ",")
| dedup OUs
| table OUs
---
If this reply helps you, Karma would be appreciated.

smitapatankarso
Explorer

saved my effort of further processing as well.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...