Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Rex command returns null despte the regular expression being correct

gynexcore
New Member
‎10-04-2019 11:18 AM

Hello there,

I am attempting to write a rex command that pulls the distinguished name from a windows event log. My regular expression claims to be working according to regex101.com, however, in Splunk the field DistName returns null every time when inside of a table. The specific info i am looking for is:

CN=John\, Doe,OU=K-O,OU=Reg,OU=Exit,OU=Heigh,DC=workbuilding,DC=treestump,DC=WalMart,DC=com

Here is my regular expression:

(?<DistName>(?=CN=|cn=).+?(?=.{6}:))

And here is a sample of a log that I am trying to parse:

A member was added to a security-enabled global group. Subject: Security ID:    X-9-9-99-999999999-9999999999-999999999-999999 Account Name:    Windows10 Account Domain: Logon ID: Member: Security ID:     Account Name:  CN=John\, Doe,OU=K-O,OU=Reg,OU=Exit,OU=Heigh,DC=workbuilding,DC=treestump,DC=WalMart,DC=com Group: Security ID: 9-9-99-999999999-9999999999-999999999-9999999 Group Name: Raush - Bestie User Certificate Access Group Domain: Additional Information: Privileges:

Any help here would be greatly appreciated!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ololdach
Builder
‎10-04-2019 12:10 PM

Try this one: 

(?<DistName>CN=|cn=.+)?\sGroup:

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

ololdach
Builder
‎10-04-2019 12:10 PM

Try this one: 

(?<DistName>CN=|cn=.+)?\sGroup:
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...