Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How do I only show certain values in a field?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm trying to group ldap log values. I have already listed them out from a comma separated value but, I'm having a hard time getting them the way I want them to display. I'm trying to create a new field and show just the CN
here is my query - sourcetype=mysearch user_ldap_user_attributes_memberOf=business_group1 | stats values(user_ldap_user_attributes_memberOf) as Group | makemv delim="," Group
here is my results-
CN=ExchangeUsers
OU=Groups
OU=business
DC=us
DC=ad
DC=corp
DC=com
CN=FAMS_Users
OU=Groups
OU=business
DC=us
DC=ad
DC=corp
DC=com
CN=EXCHANGE_ACTIVESYNC
OU=Dynagroups
OU=Enterprise Groups
DC=us
DC=ad
DC=corp
DC=com
CN=Tableau
OU=Groups
OU=business
DC=us
DC=ad
DC=corp
DC=com
CN=Web_Access
OU=Groups
OU=business
DC=us
DC=ad
DC=corp
DC=com
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
See of one of these give you what you're looking for
sourcetype=mysearch user_ldap_user_attributes_memberOf=business_group1 | stats values(user_ldap_user_attributes_memberOf) as Group | makemv delim="," Group | mvexpand Group | search Group="CN*"
*OR*
sourcetype=mysearch user_ldap_user_attributes_memberOf=business_group1 | stats values(user_ldap_user_attributes_memberOf) as Group | makemv delim="," Group | eval Group=mvfilter(Group, "CN=")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
See of one of these give you what you're looking for
sourcetype=mysearch user_ldap_user_attributes_memberOf=business_group1 | stats values(user_ldap_user_attributes_memberOf) as Group | makemv delim="," Group | mvexpand Group | search Group="CN*"
*OR*
sourcetype=mysearch user_ldap_user_attributes_memberOf=business_group1 | stats values(user_ldap_user_attributes_memberOf) as Group | makemv delim="," Group | eval Group=mvfilter(Group, "CN=")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The first query worked like a charm. The second gave me an error "The arguments to the 'mvfilter' function are invalid."
Thanks! I was WAY over thinking it
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
