Splunk Enterprise

Alternatives to using MVExpand - running into limitations

ch1221
Explorer

I'm looking for another way to run the search below and expand the computer field. This search is pulling systems belonging to a specific group in AD and then cleaning up the name from the member_dn field.  It them puts it into a lookup table to use in ES.
Mvexpand is running into limitations with memory and I cannot adjust it high enough to extract all of the values.  

|ldapsearch domain=default search="(&(objectclass=group)(cn=Eng_Computers))" | table cn,distinguishedName | ldapgroup| table cn,member_dn,member_type
| rex field=member_dn "CN\=(?P<computer>[\w\-\_]+)(?=\,\w{2}\=)" |mvexpand computer |table computer | sort computer |outputlookup eng_systems.csv

Suggestions are appreciated.

 

Labels (1)
Tags (2)
0 Karma
1 Solution

ITWhisperer
Ultra Champion

Do you only have 1 event? If so, that is probably the issue. The expansion works for multiple rows. Try this instead

| streamstats count as row
| eval steps=mvcount(member_dn)
| streamstats sum(steps) as toprow
| eval maxrow=toprow
| reverse
| append [| makeresults | eval toprow=1 | fields - _time]
| reverse
| makecontinuous toprow
| reverse
| filldown
| sort toprow
| eval member_dn=mvindex(member_dn,maxrow-toprow)
| fields - maxrow toprow row steps
| rex field=member_dn "CN\=(?P<computer>[\w\-\_]+)(?=\,\w{2}\=)"

 

View solution in original post

0 Karma

ITWhisperer
Ultra Champion

Instead of

| rex field=member_dn "CN\=(?P<computer>[\w\-\_]+)(?=\,\w{2}\=)" |mvexpand computer

try this (a bit tortuous admittedly)

| streamstats count as row
| eval steps=mvcount(member_dn)
| streamstats sum(steps) as toprow
| eval maxrow=toprow
| makecontinuous toprow
| reverse
| filldown
| eval toprow=if(row=1,1,toprow)
| makecontinuous toprow
| filldown
| eval member_dn=mvindex(member_dn,maxrow-toprow)
| fields - maxrow toprow row steps
| rex field=member_dn "CN\=(?P<computer>[\w\-\_]+)(?=\,\w{2}\=)"

 

0 Karma

ch1221
Explorer

unfortunately that only returns one system out of the group.

0 Karma

ITWhisperer
Ultra Champion

OK try it the other around

| rex max_match=0 field=member_dn "CN\=(?P<computer>[\w\-\_]+)(?=\,\w{2}\=)"
| streamstats count as row
| eval steps=mvcount(computer)
| streamstats sum(steps) as toprow
| eval maxrow=toprow
| makecontinuous toprow
| reverse
| filldown
| eval toprow=if(row=1,1,toprow)
| makecontinuous toprow
| filldown
| eval computer=mvindex(computer,maxrow-toprow)
| fields - maxrow toprow row steps
0 Karma

ch1221
Explorer

Still only one system being returned 😞

0 Karma

ITWhisperer
Ultra Champion

Can you share some data of the events you have after

|ldapgroup| table cn,member_dn,member_type
0 Karma

ch1221
Explorer

I removed the additional fields so it's just member_dn.  Here's a very small sample of the 9,000+

member_dn
CN=ORW-EG-M480,OU=Win7,OU=xxx Workstations,OU=xxx,OU=Amer,DC=xxx,DC=xxx,DC=com
CN=FRG-W10-SCH,OU=Win7,OU=xxx,OU=EMEA,DC=xxx,DC=xxx,DC=com
CN=FRS-MARV-L,OU=Win7,OU=xxx,OU=EMEA,DC=mgc,DC=xxx,DC=com

0 Karma

ITWhisperer
Ultra Champion

Is this a multi-value field? Do you get the correct count (in steps) if you do this

| eval steps=mvcount(member_dn)
0 Karma

ch1221
Explorer

Yes, steps returns 9056

0 Karma

ITWhisperer
Ultra Champion

So, does this generate enough copies of the events?

| streamstats count as row
| eval steps=mvcount(member_dn)
| streamstats sum(steps) as toprow
| eval maxrow=toprow
| makecontinuous toprow
| reverse
| filldown
| eval toprow=if(row=1,1,toprow)
| makecontinuous toprow
| filldown
0 Karma

ch1221
Explorer

This still only provides the results as a list in 1 event instead of breaking them out.

0 Karma

ITWhisperer
Ultra Champion

Do you only have 1 event? If so, that is probably the issue. The expansion works for multiple rows. Try this instead

| streamstats count as row
| eval steps=mvcount(member_dn)
| streamstats sum(steps) as toprow
| eval maxrow=toprow
| reverse
| append [| makeresults | eval toprow=1 | fields - _time]
| reverse
| makecontinuous toprow
| reverse
| filldown
| sort toprow
| eval member_dn=mvindex(member_dn,maxrow-toprow)
| fields - maxrow toprow row steps
| rex field=member_dn "CN\=(?P<computer>[\w\-\_]+)(?=\,\w{2}\=)"

 

View solution in original post

0 Karma

ch1221
Explorer

Yes, that works!!!! Thank you so much for your help!!!

0 Karma
Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!