Solved: Rex command returns null despte the regular expres...

gynexcore · ‎10-04-2019

Hello there,

I am attempting to write a rex command that pulls the distinguished name from a windows event log. My regular expression claims to be working according to regex101.com, however, in Splunk the field DistName returns null every time when inside of a table. The specific info i am looking for is:

CN=John\, Doe,OU=K-O,OU=Reg,OU=Exit,OU=Heigh,DC=workbuilding,DC=treestump,DC=WalMart,DC=com

Here is my regular expression:

(?<DistName>(?=CN=|cn=).+?(?=.{6}:))

And here is a sample of a log that I am trying to parse:

A member was added to a security-enabled global group. Subject: Security ID:    X-9-9-99-999999999-9999999999-999999999-999999 Account Name:    Windows10 Account Domain: Logon ID: Member: Security ID:     Account Name:  CN=John\, Doe,OU=K-O,OU=Reg,OU=Exit,OU=Heigh,DC=workbuilding,DC=treestump,DC=WalMart,DC=com Group: Security ID: 9-9-99-999999999-9999999999-999999999-9999999 Group Name: Raush - Bestie User Certificate Access Group Domain: Additional Information: Privileges:

Any help here would be greatly appreciated!

ololdach · ‎10-04-2019

Try this one:

(?<DistName>CN=|cn=.+)?\sGroup:

View solution in original post

ololdach · ‎10-04-2019

Try this one:

(?<DistName>CN=|cn=.+)?\sGroup:

Rex command returns null despte the regular expression being correct

Splunk MCP & Agentic AI: Machine Data Without Limits

Finding Based Detections General Availability

Get Your Hands Dirty (and Your Shoes Comfy): The Splunk Experience

Join the Conversation

Rex command returns null despte the regular expression being correct

Splunk MCP & Agentic AI: Machine Data Without Limits

Finding Based Detections General Availability

Get Your Hands Dirty (and Your Shoes Comfy): The Splunk Experience