Heres one of the logs I have from my multi factor authentication logs:

2018-02-22T13:39:24.320950Z|i|1624|1996|pfsvc|Pfauth succeeded for user 'CN=Ziti\, Frank,CN=Users,DC=tort,DC=net' (distinguishedName format) from 255.255.255.255. Call status: SUCCESS - "Signal Entered".

Ziti is the last name and Frank is the first name. Those arent static and are different for each log.

Hi santorof,
try my regex and check if it covers all your logs.
Otherwise we could check if it must be modified or maybe we could use more regexes collected with the coalesce function.

Anyway, as you can see at https://regex101.com/r/5pWObU/2 also the new example you shared is correctly read from the regex.

Bye.
Giuseppe

Giuseppe,

Thanks for the regex command. I piped it after my main search but not seeing the fields populate on the left hand side. Should I be doing a table command of FirstName and LastName?

index=dual_factor_auth status=SUCCESS | rex "CN=(?[^\])\,\s(?[^,])," | table FirstName , LastName

Hi santorof,
please use Code Sample button otherwise I cannot read your code!
anyway, the search will be

index=dual_factor_auth status=SUCCESS 
| rex "CN\=(?<LastName>[^\\]*)\\,\s(?<FirstName>[^,]*)," 
| table FirstName , LastName 

If you don't use a table command you'll have your two new fields in the fields related to your logs (left side of your screen).
If you want to list them you must use table command
If only few events have these fields, filter your logs to be sure that regex is correct.

Bye.
Giuseppe

I did a bit more filtering so I am only returning events that have the CN=. I am not getting any results on the left and using the table FirstName , Last Name I am not getting any results. Is this because im running an older version of Splunk?(6.6.2)

Splunk version it's Ok.
see if in the selected events there are someone where there are "CN=Ziti\, Frank,"
and for test put in your main search "Ziti", to check if the regex correctly works.
Bye.
Giuseppe

Got it to work. Thank you for the assistance!