I am doing the following search on Splunk 4.3.6 search head:
sourcetype="WinEventLog:Security" EventCode=5136 Class=groupPolicyContainer | eval DN=replace(DN,"}","},") | ldapfilter domain=$Account_Domain$ search="(distinguishedName=$DN$)" attrs=displayName
The idea is to get the display name of the modified GPO. The search produces the expected results. However, when I try to pipe the result to a table like this:
| table Account_Name,displayName
Well I figured out the problem. In my case it is returning the displayName as a multivalue field, the first value being empty and the second value containing what I expect. I added the following to my search:
...|eval displayName=mvindex(displayName,-1)|...
Well I figured out the problem. In my case it is returning the displayName as a multivalue field, the first value being empty and the second value containing what I expect. I added the following to my search:
...|eval displayName=mvindex(displayName,-1)|...
This does seem to work, but isn't really a great solution; when I create a table based on the mvindex'd field name, I am seeing loads of results with empty values, and attempting to remove them with a "| search NOT displayName=""" doesn't work...