topic regex to pull cn fields in Security

regex to pull cn fields

spluser1 — Thu, 19 Oct 2023 10:02:04 GMT

Hey everyone,

I have this format -

cn=<name>,ou=<>,ou=people,dc=<>,dc=<>,dc=<> that i'm pulling that i need to use only the cn= field. how can i do it with the regex command? is that possible?

thanks!!

Re: regex to pull cn fields

isoutamo — Thu, 19 Oct 2023 10:15:11 GMT

you could use this

... | rex field=<your existing field> "cn=(?<cn>[^,]+)"

r. Ismo

PS. regex101.com is excellent place to test these!

Re: regex to pull cn fields

spluser1 — Thu, 19 Oct 2023 10:20:30 GMT

thanks for the info.

when saying your existing field you mean to put the actual field that contain the format? also is there a way to save that so i could do a stats to show the output only with the cn value?

Re: regex to pull cn fields

isoutamo — Thu, 19 Oct 2023 10:25:39 GMT

If you have extracted that whole value into some field (e.g. ldap_query) then use it. If that value is still in _raw then you could leave that field=xxxx part away. Just see https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Rex

Re: regex to pull cn fields

spluser1 — Thu, 19 Oct 2023 10:28:49 GMT

excellent, i see it now. works perfect. thanks!

Re: regex to pull cn fields

isoutamo — Thu, 19 Oct 2023 10:32:43 GMT

As it solve you problem, please accept it as Solution so other can see it later.
Happy Splunking!