https://community.splunk.com/t5/Splunk-Search/How-to-populate-results-from-regex-into-an-ldap-search/m-p/537702#M152024 <P>Thanks <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/213957">@richgalloway</a>&nbsp;. This works and displays the name properly but when used with other items that need to be tabled, it's the only field that returns results. Full search:<BR /><BR /></P><LI-CODE lang="markup">index=azuread sourcetype="ms:aad:audit" activityDisplayName="Update service principal" OR activityDisplayName="Add service principal credentials" | rex field=initiatedBy.user.userPrincipalName "ex(?&lt;GUID&gt;\d+)z\@" | map search="ldapsearch domain=DEFAULT search=\"(&amp;(objectClass=user)(exguid=$GUID$))\"" | table activityDateTime, activityDisplayName, operationType, targetResources{}.displayName, targetResources{}.id, targetResources{}.modifiedProperties{}.displayName, targetResources{}.modifiedProperties{}.oldValue, targetResources{}.modifiedProperties{}.newValue, initiatedBy.user.userPrincipalName, name</LI-CODE> Thu, 28 Jan 2021 19:42:13 GMT fdevera 2021-01-28T19:42:13Z https://community.splunk.com/t5/Splunk-Search/How-to-populate-results-from-regex-into-an-ldap-search/m-p/537514#M151965 <P>How would I take the results from this search:</P><LI-CODE lang="markup">| rex field=initiatedBy.user.userPrincipalName "ex(?&lt;GUID&gt;\d+)z\@"</LI-CODE><P>And populate it into this LDAP search:</P><LI-CODE lang="markup">| ldapsearch domain=DEFAULT search="(&amp;(objectClass=user)(exguid=GUID))" | table name</LI-CODE> Wed, 27 Jan 2021 23:49:52 GMT https://community.splunk.com/t5/Splunk-Search/How-to-populate-results-from-regex-into-an-ldap-search/m-p/537514#M151965 fdevera 2021-01-27T23:49:52Z https://community.splunk.com/t5/Splunk-Search/How-to-populate-results-from-regex-into-an-ldap-search/m-p/537522#M151968 <P>Depending on how many results the first search returns, this may work</P><LI-CODE lang="markup">... | rex field=initiatedBy.user.userPrincipalName "ex(?&lt;GUID&gt;\d+)z\@" | map search="ldapsearch domain=DEFAULT search=\"(&amp;(objectClass=user)(exguid=$GUID$))\"" | table name</LI-CODE> Thu, 28 Jan 2021 01:37:30 GMT https://community.splunk.com/t5/Splunk-Search/How-to-populate-results-from-regex-into-an-ldap-search/m-p/537522#M151968 richgalloway 2021-01-28T01:37:30Z https://community.splunk.com/t5/Splunk-Search/How-to-populate-results-from-regex-into-an-ldap-search/m-p/537702#M152024 <P>Thanks <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/213957">@richgalloway</a>&nbsp;. This works and displays the name properly but when used with other items that need to be tabled, it's the only field that returns results. Full search:<BR /><BR /></P><LI-CODE lang="markup">index=azuread sourcetype="ms:aad:audit" activityDisplayName="Update service principal" OR activityDisplayName="Add service principal credentials" | rex field=initiatedBy.user.userPrincipalName "ex(?&lt;GUID&gt;\d+)z\@" | map search="ldapsearch domain=DEFAULT search=\"(&amp;(objectClass=user)(exguid=$GUID$))\"" | table activityDateTime, activityDisplayName, operationType, targetResources{}.displayName, targetResources{}.id, targetResources{}.modifiedProperties{}.displayName, targetResources{}.modifiedProperties{}.oldValue, targetResources{}.modifiedProperties{}.newValue, initiatedBy.user.userPrincipalName, name</LI-CODE> Thu, 28 Jan 2021 19:42:13 GMT https://community.splunk.com/t5/Splunk-Search/How-to-populate-results-from-regex-into-an-ldap-search/m-p/537702#M152024 fdevera 2021-01-28T19:42:13Z https://community.splunk.com/t5/Splunk-Search/How-to-populate-results-from-regex-into-an-ldap-search/m-p/537742#M152035 <P>I have no suggestions about that.</P> Thu, 28 Jan 2021 22:00:30 GMT https://community.splunk.com/t5/Splunk-Search/How-to-populate-results-from-regex-into-an-ldap-search/m-p/537742#M152035 richgalloway 2021-01-28T22:00:30Z