Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I extract a certain OU from my DN in my active directory data?

DPWSplunkPOC
Explorer
‎02-23-2017 06:44 AM

I would like to extract a certain portion of my AD data to identify a certain OU. The OU I want to extract always appears before the ,ou=field. So, my data might look like this:

CN=username, OU=value1, OU=value2, OU=value3, ou=value4, dc=value5

But sometimes my data might include an extra OU=, so a simple pattern match does not work. For example another string may look like this:

CN=username, OU=value1, OU=value2, OU=value3, OU=value4, ou=value5, dc=value6

If I have those to strings I would want the regex to give me value3 from the first string and value4 from the second string.

The regex I have is close but is capturing between value,ou when looking at OU=value,ou=value

Here is the regex I developed so far:

\bOU\b=(\w+)?(?P< agency >),ou

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

DPWSplunkPOC
Explorer
‎02-23-2017 07:36 AM

I figured it out.

\bOU\b=(\w+)?(?P< agency >\w{2}),ou

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

DPWSplunkPOC
Explorer
‎02-23-2017 07:36 AM

I figured it out.

\bOU\b=(\w+)?(?P< agency >\w{2}),ou

0 Karma
Reply
Get Updates on the Splunk Community!

Don't wait! Accept the Mission Possible: Splunk Adoption Challenge Now and Win ...

Attention everyone! We have exciting news to share! We are recruiting new members for the Mission Possible: ...

Unify Your SecOps with Splunk Mission Control

In today’s post, I'm excited to share some recent Splunk Mission Control innovations. With Splunk Mission ...

Data Preparation Made Easy: SPL2 for Edge Processor

By now, you may have heard the exciting news that Edge Processor, the easy-to-use Splunk data preparation tool ...