Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Rex command returns null despte the regular expression being correct

gynexcore
New Member
‎10-04-2019 11:18 AM

Hello there,

I am attempting to write a rex command that pulls the distinguished name from a windows event log. My regular expression claims to be working according to regex101.com, however, in Splunk the field DistName returns null every time when inside of a table. The specific info i am looking for is:

CN=John\, Doe,OU=K-O,OU=Reg,OU=Exit,OU=Heigh,DC=workbuilding,DC=treestump,DC=WalMart,DC=com

Here is my regular expression:

(?<DistName>(?=CN=|cn=).+?(?=.{6}:))

And here is a sample of a log that I am trying to parse:

A member was added to a security-enabled global group. Subject: Security ID:    X-9-9-99-999999999-9999999999-999999999-999999 Account Name:    Windows10 Account Domain: Logon ID: Member: Security ID:     Account Name:  CN=John\, Doe,OU=K-O,OU=Reg,OU=Exit,OU=Heigh,DC=workbuilding,DC=treestump,DC=WalMart,DC=com Group: Security ID: 9-9-99-999999999-9999999999-999999999-9999999 Group Name: Raush - Bestie User Certificate Access Group Domain: Additional Information: Privileges:

Any help here would be greatly appreciated!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ololdach
Builder
‎10-04-2019 12:10 PM

Try this one: 

(?<DistName>CN=|cn=.+)?\sGroup:

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

ololdach
Builder
‎10-04-2019 12:10 PM

Try this one: 

(?<DistName>CN=|cn=.+)?\sGroup:
0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...