topic Re: Help on where match and rex field commands in Splunk Search

Help on where match and rex field commands

jip31 — Thu, 20 Jul 2023 15:29:13 GMT

I have a field called ObjectD which is always different for each events

But in this field, there is always à character chain which begins by OU= and DC=

Example

OU=Admin, OU=toto, OU=Utilsateur, DC=abc, DC=def

I need to filter the events where OU=Admin or OU=Utilisateurs and DC=abc

So i am doing this in my search after the stats

| where match(ObjectD,"OU=Admin|OU=Utilisateurs),DC=abc")

But it returns anything

I also need to create a new field with the name of the OU but because the first clause doesnt works the rex command doesnt works too

Here is my rex

| rex field=ObjectD "^[^=]+=[^=]+=(?<OU>[^,]+)"

Could you help please?

Re: Help on where match and rex field commands

gcusello — Thu, 20 Jul 2023 15:39:19 GMT

Hi @jip31

usually in Splunk a field with the pair fieldname=fieldvalue is extracted, so you should have OU and DC as extracted field.

so why don't you use:

<your_search> (OU=Admin OR OU=Utilisateurs) DC=abc

Ciao.

Giuseppe

Re: Help on where match and rex field commands

jip31 — Thu, 20 Jul 2023 15:56:15 GMT

Its not the case

This field are enclosed in the field ObjectD

I have foud a workaround with the where clause but i have an issue with the rex field

For example, if i say that OU in ObjectD is équal to "Utilisateurs" the rex field display the first OU fond and not the OU specified in the where clause!

Re: Help on where match and rex field commands

gcusello — Thu, 20 Jul 2023 16:37:31 GMT

Hi @jip31

the field should be extracted automatically, but anyway, you can extract these fields and use them in a search

<your_search> | rex field=ObjectD match=0 "OU\\s*=\s*(?<OU>\w+)" | rex field=ObjectD match=0 "DC\s*\=\s*(?<DC>\w+)" | search (OU=Admin OR OU=Utilisateurs) DC=abc

Ciao.

Giuseppe

Re: Help on where match and rex field commands

jip31 — Fri, 21 Jul 2023 01:38:09 GMT

Thanks Guiseppe but it's not exactly my need

Imagine i need to match these condition in ObjectD field

| where match(ObjectD,"OU=Admin),DC=abc")

Then i need to create a new field called "OU" with the rex field command and in this field the "Admin" OU must display "Admin"

Re: Help on where match and rex field commands

gcusello — Fri, 21 Jul 2023 05:48:16 GMT

Hi @jip31,

my solution exacly does what you're requesting:

it extract OU and DC from objectD
then it uses these extracted fields for the filter,

but it does in a different way, without format problems

Ciao.

Giuseppe

Re: Help on where match and rex field commands

jip31 — Fri, 21 Jul 2023 17:33:24 GMT

I confirm that your rex example extract the field OU

| rex field=ObjectD match=0 "OU\\s*=\s*(?<OU>\w+)"

But I have another problem

The field ObjectDN looks like this

(OU=Toto,OU=Titi,OU=Admin,DC=abc,DC=efg)

In my where clause, I need to filter events when the condition is true

For example, below, I need to filter the events where OU=Admin

| where match(ObjectD,"OU=Admin),DC=abc")

So you rex command below extract correctly the OU but it's not the good OU

If my field ObjectDN is like this (OU=Toto,OU=Titi,OU=Admin,DC=abc,DC=efg), the OU field extracted is "Toto" while I need to extract "Admin" only because OU=Toto is at the first place in the field ObkectDN

It means that the OU extracted is always the first OU item in the ObjectDN

If my field to extract the OU "Admin" the ObjectDN field would be this one

(OU=AdminOU=Titi,OU=Toto,DC=abc,DC=efg)

So is there a way to extract the OU corresponding to the where clause no matter is position in the field ObjectName please?

Re: Help on where match and rex field commands

PickleRick — Fri, 21 Jul 2023 18:13:00 GMT

If I understand you correctly, you want to extract the last OU in your DN below the DC level, right? That would be something like

| rex field=ObjectD "OU\s*=\s*(?<ou>[^=]+)\s*,\s*DC=)"

(I added few extra \s* which you might want to get rid of if you're sure they are not needed; I don't remember where the whotespaces in DN can be).

Then you can filter on the ou field's value.

There is one caveat though and I'll let you work it out yurself.

Re: Help on where match and rex field commands

jip31 — Sat, 22 Jul 2023 04:19:12 GMT

The OU item in ObjectDN field is nver in the same order

For example it can be

ObjectDN=(OU=Admin,OU=toto,OU=Utilsateur,DC=abc,DC=def)

ObjectDN=(OU=toto,OU=Admin,OU=Utilsateur,DC=abc,DC=def)

But when I execute the rex field below, it's always the first item in ObjectDN which is displayed whatever the where condition is

| rex field=ObjectD match=0 "OU\\s*=\s*(?<OU>\w+)"

So it means that if the ObjectDN is

ObjectDN=(OU=toto,OU=Admin,OU=Utilsateur,DC=abc,DC=def)

And the where clause is

| where match(ObjectD,"OU=Admin),DC=abc")

It's the item "toto" dispayed in the field "OU" instead Admin

Re: Help on where match and rex field commands

gcusello — Sat, 22 Jul 2023 05:54:16 GMT

Hi @jip31,

sorry: my mistake!

<your_search> | rex field=ObjectD max_match=0 "OU\\s*=\s*(?<OU>\w+)" | rex field=ObjectD max_match=0 "DC\s*\=\s*(?<DC>\w+)" | search (OU=Admin OR OU=Utilisateurs) DC=abc

in this way, it takes all values and you can use them for searching.

Ciao.

Giuseppe

Re: Help on where match and rex field commands

PickleRick — Sat, 22 Jul 2023 08:19:24 GMT

1. You're referring to either your own regex or @gcusello 's, not mine. I specifically anchored mine regex to capture the last OU.

2. As far as I can see, the multi-value regexes include \w+ as the capturing group whereas any identifier at given path level can contain spaces.

3. All those regexes might (and will) fail if the name at given level contains escaped delimiter (and I'm not sure it can't contain "\," sequence)

Re: Help on where match and rex field commands

jip31 — Tue, 25 Jul 2023 09:42:23 GMT

All the OU fields and the CN fields are correctly collected

But the search below do not do the filtering...

| search (OU=Admin OR OU=Utilisateurs) DC=abc

Re: Help on where match and rex field commands

gcusello — Tue, 25 Jul 2023 10:07:47 GMT

Hi @jip31,

I suppose that you checked also the DC field than the OU.

Anyway, it shouldn't be the issue, but, pleasew try:

| search (OU="Admin" OR OU="Utilisateurs") DC="abc"

Ciao.

Giuseppe

Re: Help on where match and rex field commands

jip31 — Tue, 25 Jul 2023 14:30:34 GMT

Obviously thanks...

Last question, is it possible to display in the field OU or the field DC only the field specified in

| search (OU="Admin" OR OU="Utilisateurs") DC="abc"

Actually in OU i have also displayed Admin2 with Admin and Utilisateurs even if i just search Admin OR Utilisateurs

Re: Help on where match and rex field commands

gcusello — Tue, 25 Jul 2023 14:54:45 GMT

Hi @jip31,

you can build your search as you like: you have the OU and DC fields that you can use as you want using all the combinations you like: you have separated fields that you can use.

Ciao.

Giuseppe

Re: Help on where match and rex field commands

jip31 — Tue, 25 Jul 2023 15:47:31 GMT

Just à little example please?

Re: Help on where match and rex field commands

gcusello — Tue, 25 Jul 2023 15:51:42 GMT

HI @jip31 ,

it's a normal search:

| search (OU="Admin*" OR OU="Utilisateurs") DC="abc"

in addition, if you create a field extraction (instead using the rex command) you can use the search in the main search so you have better performances.

Ciao.

Giuseppe

Re: Help on where match and rex field commands

gcusello — Tue, 25 Jul 2023 18:02:53 GMT

Hi @jip31 ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

Re: Help on where match and rex field commands

PickleRick — Wed, 26 Jul 2023 06:36:14 GMT

Well, this solution is only limited to particular types of RDNs.

Since you can have any object classes, I'd try to generalize that parsing. Firstly split all key=value pairs from the DN:

|rex field=ObjectDN max_match=0 "(?<kvpair>[a-zA-Z]+\s*=\s*([^,\\\\]|\\\\(?!,)|\\\\,)*),?"

(see that it also takes care of possible escaped commas within an object name).

Then remove all excessive spaces around the equals sign so that you can match that consistently.

| eval kvpair=mvmap(kvpair,replace(kvpair,"([^=]+?)\s*=\s*(.*)","\1=\2"))

Now you can search your pairs

| search kvpair="OU=Whatever"

You could also try to unescape some values (like quotation marks) but I was too lazy for that at the moment 😉