topic Regex Help Needed in Splunk Search

Regex Help Needed

ttchorz — Mon, 27 Jun 2016 19:04:25 GMT

I am not an expert with regex and I am trying to extract a field name= First, Last out of the following string

user=LDAP://Server OU=Typical,OU=Users,OU=Branch,DC=domain,DC=com/First\, Last

Any help is appreciated

Re: Regex Help Needed

richgalloway — Mon, 27 Jun 2016 19:14:16 GMT

This should do it.

... | rex "DC=\w+\/(?<name>[^\\]+)\\, (?<last>\w+)" | ...

BTW, regex101.com is your friend. 😉

Re: Regex Help Needed

drumster88 — Mon, 27 Jun 2016 19:34:17 GMT

Hi Rich,

I was able to understand the regex except the point where we added [^\] after name capturing. The other character '\' after First could be understood to be escaped properly but why [^\]

Thanks !

Re: Regex Help Needed

ttchorz — Mon, 27 Jun 2016 19:41:46 GMT

Is there an efficient way to extract the two values to one field ? Lets say User(name, last) ? Or should the fields be merged after being extracted?

Re: Regex Help Needed

richgalloway — Mon, 27 Jun 2016 19:56:50 GMT

I read the '\' as a delimiter rather than an escaped comma. Try this regex to get the entire name in one field.

... | rex "DC=\w+\/(?<name>[\w, \\]+)" | ...

This will probably leave the escaped comma in the name field. I've been unsuccessful removing it.

Re: Regex Help Needed

ttchorz — Mon, 27 Jun 2016 20:04:17 GMT

that works but it also captures "\" after name and before the comma so it look like "name\, last" any way of removing "\" ?

Re: Regex Help Needed

richgalloway — Mon, 27 Jun 2016 20:14:30 GMT

Like I said in my last comment, I've been unsuccessful at removing the '\'. I just tried something else that worked. Add this after the above rex command.

| rex field=name mode=sed "s/\\\//g" | ...

Re: Regex Help Needed

aholzel — Fri, 01 Jul 2016 09:58:21 GMT

I would extract it as two separate fields like this:

DC\=com\/(?<first>[^\\]*)\\\,\s*(?<last>[^\$]*)

and than create a calculated field user that puts them together, that way you can search efficiently on the complete name or on the first or last name.

Re: Regex Help Needed

Richfez — Fri, 01 Jul 2016 13:07:01 GMT

Well, sort of but you get the yucky stuff in the middle.

DC=\w+\/(?<name>[^\\]+\\, \w+)

That would give you First\, Last which is ... probably not quite what you desire. You can't split a single field up like what you want... no, you can't combine two individual things into one field? Either way, I'm not aware of a way to do that, so just combine 'em at the end.

 ... | rex "DC=\w+\/(?<name>[^\\]+)\\, (?<last>\w+)" | eval FullName=name." ".last | ...

There's a zillion ways to accomplish that, but if I didn't fat finger it there's one. It's fragile, though - if you have an event without a first name, well, you'll not have a FullName either. 🙂 More help can be given if required, but if it works for your needs then it's probably good enough.

If this or the other answer resolves your needs (you can apply my mini-extra-solution to either!), could you please mark one as the answer to help everyone else who stumbles across this answer later?

Re: Regex Help Needed

ttchorz — Fri, 01 Jul 2016 16:11:16 GMT

Thanks all! All of your answers were helpful and let me accomplish what I was looking for.