Splunk Search

How to form splunk query to split a field and make separate fields as per the maximum number of partitions?

smitapatankarso
Explorer

I have some strings like below returned by my splunk base search:

"CN=aa,OU=bb,DC=cc,DC=dd,DC=ee"
"CN=xx,OU=bb,DC=cc,DC=yy,DC=zz"
"CN=ff,OU=gg,OU=hh,DC=ii,DC=jj"
"CN=kk,DC=ll,DC=mm"

Note: CN,OU,DC could be 0 or many.

My ultimate goal is to find all OUs something like below.

(The combinations also need to be unique.)

(All blank lines can be excluded.)

eg:

bb     (blank)
gg      hh
(blank) (blank)

The query that am using currently is very naive.

Plus it is not generic.

It will work if atleast one of my split results into 5 parts (0,1,2,3,4).

But, it will not work and give blank results if none of my split results into 5 parts (0,1,2,3,4) i.e. all of them result in less than 5 parts.

index=xx sourcetype=yy
| fields s
| rex field=s mode=sed "s/,DC=.*//g"
| eval temp=split(s,",OU=")
| eval a=mvindex(temp,1)
| eval b=mvindex(temp,2)
| eval c=mvindex(temp,3)
| eval d=mvindex(temp,4)
| dedup a b c d
| table a,b,c,d

How to make it generic i.e. get the count of split and make fields as per maximum split length?

0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

I couldn't come up with a generic way to put each OU in a separate field. I think I have a decent equivalent, however. It shows the unique sets of OUs.

index=xx sourcetype=yy
| fields s
| rex field=s max_match=0 "OU=(?<OU>[^,]+)"
| eval OUs=mvjoin(OU, ",")
| dedup OUs
| table OUs
---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

I couldn't come up with a generic way to put each OU in a separate field. I think I have a decent equivalent, however. It shows the unique sets of OUs.

index=xx sourcetype=yy
| fields s
| rex field=s max_match=0 "OU=(?<OU>[^,]+)"
| eval OUs=mvjoin(OU, ",")
| dedup OUs
| table OUs
---
If this reply helps you, Karma would be appreciated.

smitapatankarso
Explorer

saved my effort of further processing as well.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...