- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
I have a field called ObjectD which is always different for each events
But in this field, there is always à character chain which begins by OU= and DC=
Example
OU=Admin, OU=toto, OU=Utilsateur, DC=abc, DC=def
I need to filter the events where OU=Admin or OU=Utilisateurs and DC=abc
So i am doing this in my search after the stats
| where match(ObjectD,"OU=Admin|OU=Utilisateurs),DC=abc")
But it returns anything
I also need to create a new field with the name of the OU but because the first clause doesnt works the rex command doesnt works too
Here is my rex
| rex field=ObjectD "^[^=]+=[^=]+=(?<OU>[^,]+)"
Could you help please?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
HI @jip31 ,
it's a normal search:
| search (OU="Admin*" OR OU="Utilisateurs") DC="abc"
in addition, if you create a field extraction (instead using the rex command) you can use the search in the main search so you have better performances.
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If I understand you correctly, you want to extract the last OU in your DN below the DC level, right? That would be something like
| rex field=ObjectD "OU\s*=\s*(?<ou>[^=]+)\s*,\s*DC=)"
(I added few extra \s* which you might want to get rid of if you're sure they are not needed; I don't remember where the whotespaces in DN can be).
Then you can filter on the ou field's value.
There is one caveat though and I'll let you work it out yurself.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
No
The OU item in ObjectDN field is nver in the same order
For example it can be
ObjectDN=(OU=Admin,OU=toto,OU=Utilsateur,DC=abc,DC=def)
Or
ObjectDN=(OU=toto,OU=Admin,OU=Utilsateur,DC=abc,DC=def)
But when I execute the rex field below, it's always the first item in ObjectDN which is displayed whatever the where condition is
| rex field=ObjectD match=0 "OU\\s*=\s*(?<OU>\w+)"
So it means that if the ObjectDN is
ObjectDN=(OU=toto,OU=Admin,OU=Utilsateur,DC=abc,DC=def)
And the where clause is
| where match(ObjectD,"OU=Admin),DC=abc")
It's the item "toto" dispayed in the field "OU" instead Admin
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
1. You're referring to either your own regex or @gcusello 's, not mine. I specifically anchored mine regex to capture the last OU.
2. As far as I can see, the multi-value regexes include \w+ as the capturing group whereas any identifier at given path level can contain spaces.
3. All those regexes might (and will) fail if the name at given level contains escaped delimiter (and I'm not sure it can't contain "\," sequence)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @jip31,
sorry: my mistake!
<your_search>
| rex field=ObjectD max_match=0 "OU\\s*=\s*(?<OU>\w+)"
| rex field=ObjectD max_match=0 "DC\s*\=\s*(?<DC>\w+)"
| search (OU=Admin OR OU=Utilisateurs) DC=abc
in this way, it takes all values and you can use them for searching.
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Well, this solution is only limited to particular types of RDNs.
Since you can have any object classes, I'd try to generalize that parsing. Firstly split all key=value pairs from the DN:
|rex field=ObjectDN max_match=0 "(?<kvpair>[a-zA-Z]+\s*=\s*([^,\\\\]|\\\\(?!,)|\\\\,)*),?"
(see that it also takes care of possible escaped commas within an object name).
Then remove all excessive spaces around the equals sign so that you can match that consistently.
| eval kvpair=mvmap(kvpair,replace(kvpair,"([^=]+?)\s*=\s*(.*)","\1=\2"))
Now you can search your pairs
| search kvpair="OU=Whatever"
You could also try to unescape some values (like quotation marks) but I was too lazy for that at the moment 😉
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
All the OU fields and the CN fields are correctly collected
But the search below do not do the filtering...
| search (OU=Admin OR OU=Utilisateurs) DC=abc
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @jip31,
I suppose that you checked also the DC field than the OU.
Anyway, it shouldn't be the issue, but, pleasew try:
| search (OU="Admin" OR OU="Utilisateurs") DC="abc"
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Obviously thanks...
Last question, is it possible to display in the field OU or the field DC only the field specified in
| search (OU="Admin" OR OU="Utilisateurs") DC="abc"
Actually in OU i have also displayed Admin2 with Admin and Utilisateurs even if i just search Admin OR Utilisateurs
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @jip31,
you can build your search as you like: you have the OU and DC fields that you can use as you want using all the combinations you like: you have separated fields that you can use.
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
HI @jip31 ,
it's a normal search:
| search (OU="Admin*" OR OU="Utilisateurs") DC="abc"
in addition, if you create a field extraction (instead using the rex command) you can use the search in the main search so you have better performances.
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @jip31 ,
good for you, see next time!
Ciao and happy splunking
Giuseppe
P.S.: Karma Points are appreciated by all the contributors 😉
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just à little example please?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @jip31
usually in Splunk a field with the pair fieldname=fieldvalue is extracted, so you should have OU and DC as extracted field.
so why don't you use:
<your_search> (OU=Admin OR OU=Utilisateurs) DC=abc
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
Its not the case
This field are enclosed in the field ObjectD
I have foud a workaround with the where clause but i have an issue with the rex field
For example, if i say that OU in ObjectD is équal to "Utilisateurs" the rex field display the first OU fond and not the OU specified in the where clause!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @jip31
the field should be extracted automatically, but anyway, you can extract these fields and use them in a search
<your_search>
| rex field=ObjectD match=0 "OU\\s*=\s*(?<OU>\w+)"
| rex field=ObjectD match=0 "DC\s*\=\s*(?<DC>\w+)"
| search (OU=Admin OR OU=Utilisateurs) DC=abc
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Guiseppe but it's not exactly my need
Imagine i need to match these condition in ObjectD field
| where match(ObjectD,"OU=Admin),DC=abc")
Then i need to create a new field called "OU" with the rex field command and in this field the "Admin" OU must display "Admin"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @jip31,
my solution exacly does what you're requesting:
- it extract OU and DC from objectD
- then it uses these extracted fields for the filter,
but it does in a different way, without format problems
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I confirm that your rex example extract the field OU
| rex field=ObjectD match=0 "OU\\s*=\s*(?<OU>\w+)"
But I have another problem
The field ObjectDN looks like this
(OU=Toto,OU=Titi,OU=Admin,DC=abc,DC=efg)
In my where clause, I need to filter events when the condition is true
For example, below, I need to filter the events where OU=Admin
| where match(ObjectD,"OU=Admin),DC=abc")
So you rex command below extract correctly the OU but it's not the good OU
If my field ObjectDN is like this (OU=Toto,OU=Titi,OU=Admin,DC=abc,DC=efg), the OU field extracted is "Toto" while I need to extract "Admin" only because OU=Toto is at the first place in the field ObkectDN
It means that the OU extracted is always the first OU item in the ObjectDN
If my field to extract the OU "Admin" the ObjectDN field would be this one
(OU=AdminOU=Titi,OU=Toto,DC=abc,DC=efg)
So is there a way to extract the OU corresponding to the where clause no matter is position in the field ObjectName please?