Splunk Search

Help with fields extraction

numeroinconnu12
Path Finder

Good evening,
Thank you all for your support,
I have a field called Memberof which contains the following data per line.

1) cn=GRP_Basic,ou=Users,dc=admin,dc=spike|cn=GRP_Hash,ou=Groups,dc=admin,dc=spike

2) cn=GRP_ADC,ou=Groups,dc=admin,dc=spike|cn=GRP_Vabd_Admin,dc=admin,dc=spike|cn=GRP_Vabd_Supe

3) cn=GRP_sos,ou=Groups,dc=command,dc=spike

I wanted to extract for each row all that starts with GRP

For example for the first line I need to extract GRP_Basic and GRP_Hash
For the second line I have to extract GRP_ADC and GRP_Vabd_Admin and GRP_Vabd_Supe

thank you very much






Labels (2)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @numeroinconnu12,

you have two choices:

  • use the regex from @ITWhisperer and filter results for the two values you want after the rex command using the search command,
  • insert the condition about the two values in the regex.

about the second please try this:

| rex max_match=0 "(?<grp>GRP_Basic|GRC_Hash)"

Ciao.

Giuseppe

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust
| rex max_match=0 "(?<grp>GRP_[^,]+)"

numeroinconnu12
Path Finder

Hello,

Thank you very much for the answer but it doesn't work.
I would like to extract only GRP_Basic or GRP_Hash

thank you

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @numeroinconnu12,

you have two choices:

  • use the regex from @ITWhisperer and filter results for the two values you want after the rex command using the search command,
  • insert the condition about the two values in the regex.

about the second please try this:

| rex max_match=0 "(?<grp>GRP_Basic|GRC_Hash)"

Ciao.

Giuseppe

gcusello
SplunkTrust
SplunkTrust

Hi @numeroinconnu12,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors :winking_face:

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...