Hello there,
I am attempting to write a rex command that pulls the distinguished name from a windows event log. My regular expression claims to be working according to regex101.com, however, in Splunk the field DistName returns null every time when inside of a table. The specific info i am looking for is:
CN=John\, Doe,OU=K-O,OU=Reg,OU=Exit,OU=Heigh,DC=workbuilding,DC=treestump,DC=WalMart,DC=com
Here is my regular expression:
(?<DistName>(?=CN=|cn=).+?(?=.{6}:))
And here is a sample of a log that I am trying to parse:
A member was added to a security-enabled global group. Subject: Security ID: X-9-9-99-999999999-9999999999-999999999-999999 Account Name: Windows10 Account Domain: Logon ID: Member: Security ID: Account Name: CN=John\, Doe,OU=K-O,OU=Reg,OU=Exit,OU=Heigh,DC=workbuilding,DC=treestump,DC=WalMart,DC=com Group: Security ID: 9-9-99-999999999-9999999999-999999999-9999999 Group Name: Raush - Bestie User Certificate Access Group Domain: Additional Information: Privileges:
Any help here would be greatly appreciated!
Try this one:
(?<DistName>CN=|cn=.+)?\sGroup: