Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Trim an entry for field extraction

bshuford
Path Finder
‎02-04-2011 07:57 PM

how would I take an entry like this.

Member ID: CN=Test audit,OU=Users,OU=Office,OU=State,DC=domain,DC=local

and make it look like this....

Test audit

In a report generated in an e-mail? I'd like to trim it up.

Here's my original search

source="WinEventLog:Security" OR source="WinEventLog:Application" OR source="WinEventLog:system" EventCode "632" OR "633" OR "660" OR "661" OR "636" OR "637" "Domain Admins" OR "Account Operators" OR "Administrators" OR "Backup Operators" OR "Guests" OR "Network Configuration Operators" OR "Print Operators" OR "Remote Desktop Users" OR "Server Operators" OR "Users" OR "DNSAdmins" OR "DnsUpdateProxy" OR "Domain Guests" OR "Enterprise Admins" OR "Group Policy Creator Owners" OR "Schema Admins" |convert ctime(_time) AS Time | table Time,User,Target_Account_Name,Member_Name,Added_Removed | rename User to "Change Made By", Target_Account_Name to "Global Group", Member_Name to "Account Affected", Added_Removed to "Status" | rex "CN=(?[^,]+),"

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

Paolo_Prigione
Builder
‎02-06-2011 10:29 PM

Have you tried with a rex field extraction? 

| rex "CN=(?<out>[^,]+),"

View solution in original post

Reply
Solved! Jump to solution
Solution

Paolo_Prigione
Builder
‎02-06-2011 10:29 PM

Have you tried with a rex field extraction? 

| rex "CN=(?<out>[^,]+),"
Reply
Solved! Jump to solution

bshuford
Path Finder
‎02-07-2011 05:12 PM

CN= does appear twice. I did already try rex field=Member_Name "CN=(?[^,]+), that didn't work either. That's exactly what I was thinking.

0 Karma
Reply
Solved! Jump to solution

Lowell
Super Champion
‎02-07-2011 04:28 PM

bshuford, please post your full search in your original question instead of putting it in a comment for readability. (Use the "edit" link under your question at the top.) Also, you could try adding "field" to your rex command, like so: rex field=Member_ID "CN=(?<out>[^,]+), but that shouldn't be necessary unless "CN=" appears multiple times in your event.

0 Karma
Reply
Solved! Jump to solution

Ron_Naken
Splunk Employee
Splunk Employee
‎02-06-2011 11:19 PM

That works, too. Way easier. =P

0 Karma
Reply
Solved! Jump to solution

Ron_Naken
Splunk Employee
Splunk Employee
‎02-04-2011 10:09 PM

Given your sample data, this will create a field called out that has a value of Test audit.

... | eval tmp=split(myfield, ",") | eval out=substr(mvfilter(match(tmp,"CN=")),15)
Reply
Solved! Jump to solution

Ron_Naken
Splunk Employee
Splunk Employee
‎02-06-2011 11:22 PM

Not sure, but the rex solution Paolo provided would be much easier.

0 Karma
Reply
Solved! Jump to solution

bshuford
Path Finder
‎02-06-2011 01:43 PM

OH, the other question is, what is the 15? Counting 15 Characters from the CN=? If so what if the name is longer?

0 Karma
Reply
Solved! Jump to solution

bshuford
Path Finder
‎02-06-2011 01:42 PM

OK, I get this, but it's not working.
Here is what I put in the end of my search

| eval tmp=split(Target_Account_Name, ",") | eval out=substr(mvfilter(match(tmp,"CN=")),15)

What am I doing wrong?

0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

REGISTER NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If ...

Observability | Use Synthetic Monitoring for Website Metadata Verification

If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...