Splunk Search

Help on where match and rex field commands

jip31
Motivator

Hi

I have a field called ObjectD which is always different for each events

But in this field, there is always à character chain which begins by OU= and DC=

Example

OU=Admin,  OU=toto, OU=Utilsateur, DC=abc, DC=def

I need to filter the events where OU=Admin or OU=Utilisateurs and DC=abc

So i am doing this in my search after the stats

| where match(ObjectD,"OU=Admin|OU=Utilisateurs),DC=abc")

But it returns anything

I also need to create a new field with the name of the OU but because the first clause doesnt works the rex command doesnt works too 

Here is my rex

| rex field=ObjectD "^[^=]+=[^=]+=(?<OU>[^,]+)"

Could you help please?

Labels (1)
Tags (1)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

HI @jip31 ,

it's a normal search:

| search (OU="Admin*" OR OU="Utilisateurs") DC="abc"

in addition, if you create a field extraction (instead using the rex command) you can use the search in the main search so you have better performances.

Ciao.

Giuseppe

View solution in original post

0 Karma

PickleRick
SplunkTrust
SplunkTrust

If I understand you correctly, you want to extract the last OU in your DN below the DC level, right? That would be something like

| rex field=ObjectD "OU\s*=\s*(?<ou>[^=]+)\s*,\s*DC=)"

(I added few extra \s* which you might want to get rid of if you're sure they are not needed; I don't remember where the whotespaces in DN can be).

Then you can filter on the ou field's value.

There is one caveat though and I'll let you work it out yurself.

0 Karma

jip31
Motivator

Hi

No

The OU item in ObjectDN field is nver in the same order

For example it can be

ObjectDN=(OU=Admin,OU=toto,OU=Utilsateur,DC=abc,DC=def)

 Or

ObjectDN=(OU=toto,OU=Admin,OU=Utilsateur,DC=abc,DC=def)

But when I execute the rex field below, it's always the first item in ObjectDN which is displayed whatever the where condition is

| rex field=ObjectD match=0 "OU\\s*=\s*(?<OU>\w+)"

 So it means that if the ObjectDN is

ObjectDN=(OU=toto,OU=Admin,OU=Utilsateur,DC=abc,DC=def)

 And the where clause is

| where match(ObjectD,"OU=Admin),DC=abc")

It's the item "toto" dispayed in the field "OU" instead Admin

0 Karma

PickleRick
SplunkTrust
SplunkTrust

1. You're referring to either your own regex or @gcusello 's, not mine. I specifically anchored mine regex to capture the last OU.

2. As far as I can see, the multi-value regexes include \w+ as the capturing group whereas any identifier at given path level can contain spaces.

3. All those regexes might (and will) fail if the name at given level contains escaped delimiter (and I'm not sure it can't contain "\," sequence)

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @jip31,

sorry: my mistake!

<your_search> 
| rex field=ObjectD max_match=0 "OU\\s*=\s*(?<OU>\w+)"
| rex field=ObjectD max_match=0 "DC\s*\=\s*(?<DC>\w+)"
| search (OU=Admin OR OU=Utilisateurs) DC=abc

in this way, it takes all values and you can use them for searching.

Ciao.

Giuseppe

0 Karma

PickleRick
SplunkTrust
SplunkTrust

Well, this solution is only limited to particular types of RDNs.

Since you can have any object classes, I'd try to generalize that parsing. Firstly split all key=value pairs from the DN:

|rex field=ObjectDN max_match=0 "(?<kvpair>[a-zA-Z]+\s*=\s*([^,\\\\]|\\\\(?!,)|\\\\,)*),?"

(see that it also takes care of possible escaped commas within an object name).

Then remove all excessive spaces around the equals sign so that you can match that consistently.

| eval kvpair=mvmap(kvpair,replace(kvpair,"([^=]+?)\s*=\s*(.*)","\1=\2"))

Now you can search your pairs

| search kvpair="OU=Whatever"

 You could also try to unescape some values (like quotation marks) but I was too lazy for that at the moment 😉

0 Karma

jip31
Motivator

Hi

All the OU fields and the CN fields are correctly collected

But the search below do not do the filtering...

| search (OU=Admin OR OU=Utilisateurs) DC=abc

 

Tags (1)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @jip31,

I suppose that you checked also the DC field than the OU.

Anyway, it shouldn't be the issue, but, pleasew try:

| search (OU="Admin" OR OU="Utilisateurs") DC="abc"

Ciao.

Giuseppe

0 Karma

jip31
Motivator

Obviously thanks...

Last question, is it possible to display in the field OU or the field DC only the field specified in

| search (OU="Admin" OR OU="Utilisateurs") DC="abc"

Actually in OU i have also  displayed Admin2 with Admin and Utilisateurs even if i just search Admin OR Utilisateurs

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @jip31,

you can build your search as you like: you have the OU and DC fields that you can use as you want using all the combinations you like: you have separated fields that you can use.

Ciao.

Giuseppe

0 Karma

gcusello
SplunkTrust
SplunkTrust

HI @jip31 ,

it's a normal search:

| search (OU="Admin*" OR OU="Utilisateurs") DC="abc"

in addition, if you create a field extraction (instead using the rex command) you can use the search in the main search so you have better performances.

Ciao.

Giuseppe

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @jip31 ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

0 Karma

jip31
Motivator

Just à little example please?

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @jip31 

usually in Splunk a field with the pair fieldname=fieldvalue is extracted, so you should have OU and DC as extracted field.

so why don't you use:

<your_search> (OU=Admin OR OU=Utilisateurs) DC=abc

Ciao.

Giuseppe

0 Karma

jip31
Motivator

Hi

Its not the case

This field are enclosed in the field ObjectD

I have foud a workaround with the where clause but i have an issue with the rex field

For example, if i say that OU in ObjectD is équal to "Utilisateurs" the rex field display the first OU fond and not the OU specified in the where clause!

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @jip31 

the field should be extracted automatically, but anyway, you can extract these fields and use them in a search

<your_search> 
| rex field=ObjectD match=0 "OU\\s*=\s*(?<OU>\w+)"
| rex field=ObjectD match=0 "DC\s*\=\s*(?<DC>\w+)"
| search (OU=Admin OR OU=Utilisateurs) DC=abc

Ciao.

Giuseppe

0 Karma

jip31
Motivator

Thanks Guiseppe but it's not exactly my need

Imagine i need to match these condition in ObjectD field

| where match(ObjectD,"OU=Admin),DC=abc")

Then i need to create a new field called "OU" with the rex field command and in this field the "Admin" OU must display "Admin"

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @jip31,

my solution exacly does what you're requesting: 

  • it extract OU and DC from objectD
  • then it uses these extracted fields for the filter, 

but it does in a different way, without format problems

Ciao.

Giuseppe

0 Karma

jip31
Motivator

I confirm that your rex example extract the field OU

| rex field=ObjectD match=0 "OU\\s*=\s*(?<OU>\w+)"

But I have another problem

The field ObjectDN looks like this

(OU=Toto,OU=Titi,OU=Admin,DC=abc,DC=efg)

In my where clause, I need to filter events when the condition is true

For example, below, I need to filter the events where OU=Admin

| where match(ObjectD,"OU=Admin),DC=abc")

So you rex command below extract correctly the OU but it's not the good OU

If my field ObjectDN is like this (OU=Toto,OU=Titi,OU=Admin,DC=abc,DC=efg), the OU field extracted is "Toto" while I need to extract "Admin" only because OU=Toto is at the first place in the field ObkectDN

It means that the OU extracted is always the first OU item in the ObjectDN 

If my field to extract the OU "Admin" the ObjectDN field would be this one

(OU=AdminOU=Titi,OU=Toto,DC=abc,DC=efg)

So is there a way to extract the OU corresponding to the where clause no matter is position in the field ObjectName please?

 

 

 

 

0 Karma
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...