Splunk Search

How to form splunk query to split a field and make separate fields as per the maximum number of partitions?

smitapatankarso
Explorer

I have some strings like below returned by my splunk base search:

"CN=aa,OU=bb,DC=cc,DC=dd,DC=ee"
"CN=xx,OU=bb,DC=cc,DC=yy,DC=zz"
"CN=ff,OU=gg,OU=hh,DC=ii,DC=jj"
"CN=kk,DC=ll,DC=mm"

Note: CN,OU,DC could be 0 or many.

My ultimate goal is to find all OUs something like below.

(The combinations also need to be unique.)

(All blank lines can be excluded.)

eg:

bb     (blank)
gg      hh
(blank) (blank)

The query that am using currently is very naive.

Plus it is not generic.

It will work if atleast one of my split results into 5 parts (0,1,2,3,4).

But, it will not work and give blank results if none of my split results into 5 parts (0,1,2,3,4) i.e. all of them result in less than 5 parts.

index=xx sourcetype=yy
| fields s
| rex field=s mode=sed "s/,DC=.*//g"
| eval temp=split(s,",OU=")
| eval a=mvindex(temp,1)
| eval b=mvindex(temp,2)
| eval c=mvindex(temp,3)
| eval d=mvindex(temp,4)
| dedup a b c d
| table a,b,c,d

How to make it generic i.e. get the count of split and make fields as per maximum split length?

0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

I couldn't come up with a generic way to put each OU in a separate field. I think I have a decent equivalent, however. It shows the unique sets of OUs.

index=xx sourcetype=yy
| fields s
| rex field=s max_match=0 "OU=(?<OU>[^,]+)"
| eval OUs=mvjoin(OU, ",")
| dedup OUs
| table OUs
---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

I couldn't come up with a generic way to put each OU in a separate field. I think I have a decent equivalent, however. It shows the unique sets of OUs.

index=xx sourcetype=yy
| fields s
| rex field=s max_match=0 "OU=(?<OU>[^,]+)"
| eval OUs=mvjoin(OU, ",")
| dedup OUs
| table OUs
---
If this reply helps you, Karma would be appreciated.

smitapatankarso
Explorer

saved my effort of further processing as well.

0 Karma
Get Updates on the Splunk Community!

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

In today's digital financial ecosystem, security teams face an unprecedented challenge. The sheer volume of ...

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability As businesses scale ...