Good evening,
Thank you all for your support,
I have a field called Memberof which contains the following data per line.
1) cn=GRP_Basic,ou=Users,dc=admin,dc=spike|cn=GRP_Hash,ou=Groups,dc=admin,dc=spike
2) cn=GRP_ADC,ou=Groups,dc=admin,dc=spike|cn=GRP_Vabd_Admin,dc=admin,dc=spike|cn=GRP_Vabd_Supe
3) cn=GRP_sos,ou=Groups,dc=command,dc=spike
I wanted to extract for each row all that starts with GRP
For example for the first line I need to extract GRP_Basic and GRP_Hash
For the second line I have to extract GRP_ADC and GRP_Vabd_Admin and GRP_Vabd_Supe
thank you very much
Hi @numeroinconnu12,
you have two choices:
about the second please try this:
| rex max_match=0 "(?<grp>GRP_Basic|GRC_Hash)"
Ciao.
Giuseppe
| rex max_match=0 "(?<grp>GRP_[^,]+)"
Hello,
Thank you very much for the answer but it doesn't work.
I would like to extract only GRP_Basic or GRP_Hash
thank you
Hi @numeroinconnu12,
you have two choices:
about the second please try this:
| rex max_match=0 "(?<grp>GRP_Basic|GRC_Hash)"
Ciao.
Giuseppe
Hi @numeroinconnu12,
good for you, see next time!
Ciao and happy splunking
Giuseppe
P.S.: Karma Points are appreciated by all the contributors 😉