topic Re: Does Splunk support regex support with look behind and look ahead? in Splunk Search

Does Splunk support regex support with look behind and look ahead?

santorof — Thu, 22 Feb 2018 13:55:22 GMT

Does Splunk support regex look behind and look ahead? Specifically, I have a log that has the following:

CN=LastName\, FirstName

I am trying to use look behind to target anything before a comma after the first name and look ahead to target anything before CN=

Not sure if it would be easier to separate what I am trying to capture into first name and last name where im capturing the first name anything after CN= and before the forward slash. For first name anything after forward slash comma and before another comma.

This is the regex command I have currently: ( ? ! , ) * (? < ! CN=)

Re: Does Splunk support regex support with look behind and look ahead?

gcusello — Thu, 22 Feb 2018 14:12:24 GMT

Hi santorof,
could you share an example of your log and what do you want to extract?
(use the Code Sample button to display logs and regexes).

Anyway, if your log is the one you showed ( CN=LastName\, FirstName, ) and you want to extract two fields (Lastname and FirstName), you could try something like this

| rex "CN\=(?<LastName>[^\\]*)\\,\s(?<FirstName>[^,]*),"

As you can test at https://regex101.com/r/5pWObU/1

Bye.
Giuseppe

Re: Does Splunk support regex support with look behind and look ahead?

santorof — Thu, 22 Feb 2018 14:23:32 GMT

Heres one of the logs I have from my multi factor authentication logs:

2018-02-22T13:39:24.320950Z|i|1624|1996|pfsvc|Pfauth succeeded for user 'CN=Ziti\, Frank,CN=Users,DC=tort,DC=net' (distinguishedName format) from 255.255.255.255. Call status: SUCCESS - "Signal Entered".

Ziti is the last name and Frank is the first name. Those arent static and are different for each log.

Re: Does Splunk support regex support with look behind and look ahead?

gcusello — Thu, 22 Feb 2018 14:56:15 GMT

Hi santorof,
try my regex and check if it covers all your logs.
Otherwise we could check if it must be modified or maybe we could use more regexes collected with the coalesce function.

Anyway, as you can see at https://regex101.com/r/5pWObU/2 also the new example you shared is correctly read from the regex.

Bye.
Giuseppe

Re: Does Splunk support regex support with look behind and look ahead?

santorof — Tue, 29 Sep 2020 18:10:02 GMT

Giuseppe,

Thanks for the regex command. I piped it after my main search but not seeing the fields populate on the left hand side. Should I be doing a table command of FirstName and LastName?

index=dual_factor_auth status=SUCCESS | rex "CN=(?[^\])\,\s(?[^,])," | table FirstName , LastName

Re: Does Splunk support regex support with look behind and look ahead?

gcusello — Thu, 22 Feb 2018 16:25:49 GMT

Hi santorof,
please use Code Sample button otherwise I cannot read your code!
anyway, the search will be

index=dual_factor_auth status=SUCCESS 
| rex "CN\=(?<LastName>[^\\]*)\\,\s(?<FirstName>[^,]*)," 
| table FirstName , LastName

If you don't use a table command you'll have your two new fields in the fields related to your logs (left side of your screen).
If you want to list them you must use table command
If only few events have these fields, filter your logs to be sure that regex is correct.

Bye.
Giuseppe

Re: Does Splunk support regex support with look behind and look ahead?

santorof — Thu, 22 Feb 2018 16:49:41 GMT

I did a bit more filtering so I am only returning events that have the CN=. I am not getting any results on the left and using the table FirstName , Last Name I am not getting any results. Is this because im running an older version of Splunk?(6.6.2)

Re: Does Splunk support regex support with look behind and look ahead?

gcusello — Thu, 22 Feb 2018 16:59:13 GMT

Splunk version it's Ok.
see if in the selected events there are someone where there are "CN=Ziti\, Frank,"
and for test put in your main search "Ziti", to check if the regex correctly works.
Bye.
Giuseppe

Re: Does Splunk support regex support with look behind and look ahead?

santorof — Fri, 23 Feb 2018 13:05:59 GMT

Got it to work. Thank you for the assistance!