Solved: Help with fields extraction

numeroinconnu12 · ‎04-28-2022

Good evening,
Thank you all for your support,
I have a field called Memberof which contains the following data per line.

1) cn=GRP_Basic,ou=Users,dc=admin,dc=spike|cn=GRP_Hash,ou=Groups,dc=admin,dc=spike

2) cn=GRP_ADC,ou=Groups,dc=admin,dc=spike|cn=GRP_Vabd_Admin,dc=admin,dc=spike|cn=GRP_Vabd_Supe

3) cn=GRP_sos,ou=Groups,dc=command,dc=spike

I wanted to extract for each row all that starts with GRP

For example for the first line I need to extract GRP_Basic and GRP_Hash
For the second line I have to extract GRP_ADC and GRP_Vabd_Admin and GRP_Vabd_Supe

thank you very much

gcusello · ‎04-28-2022

Hi @numeroinconnu12,

you have two choices:

use the regex from @ITWhisperer and filter results for the two values you want after the rex command using the search command,
insert the condition about the two values in the regex.

about the second please try this:

| rex max_match=0 "(?<grp>GRP_Basic|GRC_Hash)"

Ciao.

Giuseppe

View solution in original post

ITWhisperer · ‎04-28-2022

| rex max_match=0 "(?<grp>GRP_[^,]+)"

numeroinconnu12 · ‎04-28-2022

Hello,

Thank you very much for the answer but it doesn't work.
I would like to extract only GRP_Basic or GRP_Hash

thank you

gcusello · ‎04-28-2022

Hi @numeroinconnu12,

you have two choices:

use the regex from @ITWhisperer and filter results for the two values you want after the rex command using the search command,
insert the condition about the two values in the regex.

about the second please try this:

| rex max_match=0 "(?<grp>GRP_Basic|GRC_Hash)"

Ciao.

Giuseppe

gcusello · ‎06-14-2022

Hi @numeroinconnu12,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

Help with fields extraction

other

regex

rex

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life