Hi

No

The OU item in ObjectDN field is nver in the same order

For example it can be

ObjectDN=(OU=Admin,OU=toto,OU=Utilsateur,DC=abc,DC=def)

 Or

ObjectDN=(OU=toto,OU=Admin,OU=Utilsateur,DC=abc,DC=def)

But when I execute the rex field below, it's always the first item in ObjectDN which is displayed whatever the where condition is

| rex field=ObjectD match=0 "OU\\s*=\s*(?<OU>\w+)"

 So it means that if the ObjectDN is

ObjectDN=(OU=toto,OU=Admin,OU=Utilsateur,DC=abc,DC=def)

 And the where clause is

| where match(ObjectD,"OU=Admin),DC=abc")

It's the item "toto" dispayed in the field "OU" instead Admin

1. You're referring to either your own regex or @gcusello 's, not mine. I specifically anchored mine regex to capture the last OU.

2. As far as I can see, the multi-value regexes include \w+ as the capturing group whereas any identifier at given path level can contain spaces.

3. All those regexes might (and will) fail if the name at given level contains escaped delimiter (and I'm not sure it can't contain "\," sequence)

Hi @jip31,

sorry: my mistake!

<your_search> 
| rex field=ObjectD max_match=0 "OU\\s*=\s*(?<OU>\w+)"
| rex field=ObjectD max_match=0 "DC\s*\=\s*(?<DC>\w+)"
| search (OU=Admin OR OU=Utilisateurs) DC=abc

in this way, it takes all values and you can use them for searching.

Ciao.

Giuseppe

Well, this solution is only limited to particular types of RDNs.

Since you can have any object classes, I'd try to generalize that parsing. Firstly split all key=value pairs from the DN:

|rex field=ObjectDN max_match=0 "(?<kvpair>[a-zA-Z]+\s*=\s*([^,\\\\]|\\\\(?!,)|\\\\,)*),?"

(see that it also takes care of possible escaped commas within an object name).

Then remove all excessive spaces around the equals sign so that you can match that consistently.

| eval kvpair=mvmap(kvpair,replace(kvpair,"([^=]+?)\s*=\s*(.*)","\1=\2"))

Now you can search your pairs

| search kvpair="OU=Whatever"

 You could also try to unescape some values (like quotation marks) but I was too lazy for that at the moment 😉

Hi

All the OU fields and the CN fields are correctly collected

But the search below do not do the filtering...

| search (OU=Admin OR OU=Utilisateurs) DC=abc

Hi @jip31,

I suppose that you checked also the DC field than the OU.

Anyway, it shouldn't be the issue, but, pleasew try:

| search (OU="Admin" OR OU="Utilisateurs") DC="abc"

Ciao.

Giuseppe

Obviously thanks...

Last question, is it possible to display in the field OU or the field DC only the field specified in

| search (OU="Admin" OR OU="Utilisateurs") DC="abc"

Actually in OU i have also  displayed Admin2 with Admin and Utilisateurs even if i just search Admin OR Utilisateurs

Hi @jip31,

you can build your search as you like: you have the OU and DC fields that you can use as you want using all the combinations you like: you have separated fields that you can use.

Ciao.

Giuseppe

Hi @jip31 ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

Just à little example please?

Hi

Its not the case

This field are enclosed in the field ObjectD

I have foud a workaround with the where clause but i have an issue with the rex field

For example, if i say that OU in ObjectD is équal to "Utilisateurs" the rex field display the first OU fond and not the OU specified in the where clause!

Hi @jip31 

the field should be extracted automatically, but anyway, you can extract these fields and use them in a search

<your_search> 
| rex field=ObjectD match=0 "OU\\s*=\s*(?<OU>\w+)"
| rex field=ObjectD match=0 "DC\s*\=\s*(?<DC>\w+)"
| search (OU=Admin OR OU=Utilisateurs) DC=abc

Ciao.

Giuseppe

Thanks Guiseppe but it's not exactly my need

Imagine i need to match these condition in ObjectD field

| where match(ObjectD,"OU=Admin),DC=abc")

Then i need to create a new field called "OU" with the rex field command and in this field the "Admin" OU must display "Admin"

Hi @jip31,

my solution exacly does what you're requesting: 

• it extract OU and DC from objectD
• then it uses these extracted fields for the filter, 

but it does in a different way, without format problems

Ciao.

Giuseppe

I confirm that your rex example extract the field OU

| rex field=ObjectD match=0 "OU\\s*=\s*(?<OU>\w+)"

But I have another problem

The field ObjectDN looks like this

(OU=Toto,OU=Titi,OU=Admin,DC=abc,DC=efg)

In my where clause, I need to filter events when the condition is true

For example, below, I need to filter the events where OU=Admin

| where match(ObjectD,"OU=Admin),DC=abc")

So you rex command below extract correctly the OU but it's not the good OU

If my field ObjectDN is like this (OU=Toto,OU=Titi,OU=Admin,DC=abc,DC=efg), the OU field extracted is "Toto" while I need to extract "Admin" only because OU=Toto is at the first place in the field ObkectDN

It means that the OU extracted is always the first OU item in the ObjectDN 

If my field to extract the OU "Admin" the ObjectDN field would be this one

(OU=AdminOU=Titi,OU=Toto,DC=abc,DC=efg)

So is there a way to extract the OU corresponding to the where clause no matter is position in the field ObjectName please?