I have the following ldapsearch
| ldapsearch domain="PROD" search="(&(objectClass=group)(cn=DSMS Operations))" | table member,cn,distinguishedName |ldapgroup domain=PROD | table member_name | outputlookup itocusers.csv
the members are returned but in a single event, so the event written to the CSV looks like this:
"member_name"
"user1
user2
user3
user4"
When trying to do a lookup it can't find the specific user, however if I remove the quotes it works. I have tried rex, makemv to remove this with no success.
Like this:
| ldapsearch domain="PROD" search="(&(objectClass=group)(cn=DSMS Operations))"
| table member,cn,distinguishedName
| ldapgroup domain=PROD
| table member_name
| rex field=member_name mode=sed "s/^\"// s/\"$//"
| mvexpand delim="
" member_name
| outputlookup itocusers.csv
Thanks, the second query looks much better, What I am seeing is quotes wrapped around those accounts that have special characters,
so it would look like this:
user1
"user2_test"
user2
I am trying to understand the regex. I know the ^\" and \"$ look for the quotes at the start and end of the string. but not sure what the
s/ and the // do? I think this is where I would have it look for the _ in the name.
Thanks!
This is not what you showed in your example; my solution is stripping the bounding double-quotes (the one at the very beginning and the one at the very end), which is all that was shown. Based on the explanation given by @rich7177 should give you the understanding that you need to adjust the solution.
It's rex used in sed mode, which is an old unix utility "stream editor". What it does is substitute characters in a stream of characters.
There are TWO substitutes in one command- I think you'll see more easily what's going on if we rewrote this to two separate sed modes.
| rex field=member_name mode=sed "s/^\"//"
| rex field=member_name mode=sed "s/\"$//"
Now that there's two, it's a lot easier. I'll just to the first one in detail.
The main gist is s
for substitute, then you'll see three delimiters in there /
. Substitute what's in the second set for whatever's in the first. s/what I search for/what I replace with/
. So if I ran that <-- immediately preceding sed against the sentence "This is what I search for" I would get as output "This is what I replace with".
In this case, substitute //
<-- nothing, empty between those last two delimiters, any time you find ^\"
, or a quote at the beginning.
The second one is the same thing only searches for a quote at the end of the string/stream/whatever.
I believe, by the way, if you know for sure there will never be a quote mark inside the string, you could just do
.... | rex mode=sed "s/\"//g"
That g
at the end is a flag to say "globally", or in other words do that substitution as many time as it can. And since we've removed the anchors for beginning or end, it'll substitute ALL quotes with nothings.
Does that help?
maybe like this:
| ldapsearch domain="PROD" search="(&(objectClass=group)(cn=DSMS Operations))"
| table member,cn,distinguishedName
|ldapgroup domain=PROD
| table member_name
| makemv delim=" " member_name
| mvexpand member_name
| outputlookup itocusers.csv
hope it helps
I changed my query to this:
| ldapsearch domain="PROD" search="(&(objectClass=group)(cn=DSMS Operations))"
| table member,cn,distinguishedName
| ldapgroup domain=PROD
| table member_name
| rex field=member_name mode=sed "s/\"//g"
| mvexpand member_name
| outputlookup itocusers.csv
I am still seeing the quotes around the user names that have a special character.
looks like this:
users1
users2
"users2_test"
"user3_test"
is this going to require a script that runs nightly to do this?
Thanks!