Splunk Search

Does Splunk support regex support with look behind and look ahead?

Path Finder

Does Splunk support regex look behind and look ahead? Specifically, I have a log that has the following:

CN=LastName\, FirstName

I am trying to use look behind to target anything before a comma after the first name and look ahead to target anything before CN=

Not sure if it would be easier to separate what I am trying to capture into first name and last name where im capturing the first name anything after CN= and before the forward slash. For first name anything after forward slash comma and before another comma.

This is the regex command I have currently: ( ? ! , ) * (? < ! CN=)

Tags (3)
0 Karma
1 Solution

Legend

Hi santorof,
could you share an example of your log and what do you want to extract?
(use the Code Sample button to display logs and regexes).

Anyway, if your log is the one you showed ( CN=LastName\, FirstName, ) and you want to extract two fields (Lastname and FirstName), you could try something like this

| rex "CN\=(?<LastName>[^\\]*)\\,\s(?<FirstName>[^,]*),"

As you can test at https://regex101.com/r/5pWObU/1

Bye.
Giuseppe

View solution in original post

0 Karma

Legend

Hi santorof,
could you share an example of your log and what do you want to extract?
(use the Code Sample button to display logs and regexes).

Anyway, if your log is the one you showed ( CN=LastName\, FirstName, ) and you want to extract two fields (Lastname and FirstName), you could try something like this

| rex "CN\=(?<LastName>[^\\]*)\\,\s(?<FirstName>[^,]*),"

As you can test at https://regex101.com/r/5pWObU/1

Bye.
Giuseppe

View solution in original post

0 Karma

Path Finder

Heres one of the logs I have from my multi factor authentication logs:

2018-02-22T13:39:24.320950Z|i|1624|1996|pfsvc|Pfauth succeeded for user 'CN=Ziti\, Frank,CN=Users,DC=tort,DC=net' (distinguishedName format) from 255.255.255.255. Call status: SUCCESS - "Signal Entered".

Ziti is the last name and Frank is the first name. Those arent static and are different for each log.

0 Karma

Legend

Hi santorof,
try my regex and check if it covers all your logs.
Otherwise we could check if it must be modified or maybe we could use more regexes collected with the coalesce function.

Anyway, as you can see at https://regex101.com/r/5pWObU/2 also the new example you shared is correctly read from the regex.

Bye.
Giuseppe

0 Karma

Path Finder

Giuseppe,

Thanks for the regex command. I piped it after my main search but not seeing the fields populate on the left hand side. Should I be doing a table command of FirstName and LastName?

index=dualfactorauth status=SUCCESS | rex "CN=(?[^\])\,\s(?[^,])," | table FirstName , LastName

0 Karma

Legend

Hi santorof,
please use Code Sample button otherwise I cannot read your code!
anyway, the search will be

index=dual_factor_auth status=SUCCESS 
| rex "CN\=(?<LastName>[^\\]*)\\,\s(?<FirstName>[^,]*)," 
| table FirstName , LastName 

If you don't use a table command you'll have your two new fields in the fields related to your logs (left side of your screen).
If you want to list them you must use table command
If only few events have these fields, filter your logs to be sure that regex is correct.

Bye.
Giuseppe

0 Karma

Path Finder

I did a bit more filtering so I am only returning events that have the CN=. I am not getting any results on the left and using the table FirstName , Last Name I am not getting any results. Is this because im running an older version of Splunk?(6.6.2)

0 Karma

Legend

Splunk version it's Ok.
see if in the selected events there are someone where there are "CN=Ziti\, Frank,"
and for test put in your main search "Ziti", to check if the regex correctly works.
Bye.
Giuseppe

0 Karma

Path Finder

Got it to work. Thank you for the assistance!

0 Karma