- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Help with rex
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We are looking to create a multi field rex command to capture the following:
1. Firstname Lastname
2. OrgUnit
I am having trouble getting the "Firstname Lastname" to parse properly, here is what I have so far:
|rex field=_raw "(?) CN=(?
Help is greatly appreciated!
Here is a raw event:
07/18/2012 09:00:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4728 EventType=0 Type=Information ComputerName=SERVERNAME.domain.com TaskCategory=Security Group Management OpCode=Info RecordNumber=1688571344 Keywords=Audit Success Message=A member was added to a security-enabled global group. Subject: Security ID: DOMAIN\test003 Account Name: test003 Account Domain: DOMAIN Logon ID: 0x6356e0a1e Member: Security ID: DOMAIN\LOGONID Account Name: CN=Firstname Lastname,OU=OrgUnit,OU=Non-Domain Users,OU=People,DC=company,DC=com Group: Security ID: DOMAIN\SD-INSTALL-ASSET_MANAGEMENT Group Name: GP-GROUP-GROUPNAME_MANAGEMENT Group Domain: DOMAIN Additional Information: Privileges: -
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk should already be extracting the OrgUnit as it is in field=value format. It will call the field OU, but you can set a field alias if you want a different name. The name is more of a problem, as it contains whitespace.
To extract them both:
... | rex field=_raw "CN=(?<cname>.+?),OU=(?<orgunit>\S+)"
To extract just the cname:
... | rex field=_raw "CN=(?<cname>.+?),"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk should already be extracting the OrgUnit as it is in field=value format. It will call the field OU, but you can set a field alias if you want a different name. The name is more of a problem, as it contains whitespace.
To extract them both:
... | rex field=_raw "CN=(?<cname>.+?),OU=(?<orgunit>\S+)"
To extract just the cname:
... | rex field=_raw "CN=(?<cname>.+?),"
Explore the Latest Educational Offerings from Splunk [January 2025 Updates]
Developer Spotlight with Paul Stout
State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...
