Splunk Search
Highlighted

How to parse and extract OU data

New Member

I am trying to parse and extract the field data from AD distinguishedName field using regex, but I'm not having too much luck.

Here is what I'm looking at:

CN=AVB6F9974,OU=Farley PC's, OU=Kansas City, OU=Workstations,DC=lop,DC=local
CN=AVB6F9975,OU=Booth PC's, OU=Scott Building, OU=Workstations,DC=lop,DC=local
CN=KBOD6F9975,OU=Booth PC's, OU=Zale Building, OU=Workstations,DC=lop,DC=local

The end goal is to create a report that looks like the table below.

Workstation   Location       Operating System  IP address 
AVB6F9974     Kansas City    Windows 10
AVB6F9975     Scott Building Windows 10
KBOD6F9975    Zale Building  Windows 10
0 Karma
Highlighted

Re: How to parse and extract OU data

Communicator

Hey Vfinney!

Is that data all one log, or is that three individual logs?

Also, where are you getting the Operating System data and the IP Address data from? I'm not seeing it in the dataset you provided.

0 Karma
Highlighted

Re: How to parse and extract OU data

New Member

Yes, it's all from one Active Directory log. As for the OS and IP, those are just other values from my search query. They are not part of the the issue.

0 Karma
Highlighted

Re: How to parse and extract OU data

Communicator

Hey Vfinney,

Give this a try for me:

...BASE SEARCH...
| rex field=distinguishedName max_match=0 "(?<distinguishedName>[^\n]+)" 
| mvexpand distinguishedName 
| rex field=distinguishedName max_match=0 "CN=(?<Workstation>[^\,]+)\,OU=[^\,]+\,\sOU=(?<Location>[^\,]+)[^\n]+"
| table Workstation Location operating_system ip_address

I tried working around not using mvexpand, but in this case I believe it is the only way to make the search function the way you want it to.

Please let me know if there are any unforeseen problems you run into and I will try to help you correct them!

0 Karma
Highlighted

Re: How to parse and extract OU data

Communicator

This may be difficult based on your OU structure, but try something like this:

rex "CN=(?<commonName>[^\,]+)\,.*?(?<!\\)\,\s*OU=(?<location>.*?(?<!\\))\,\s*OU=.*?\,DC"

It will require that the location field is always the child OU of the Workstation (or Server, etc.) OU, and that is in turn is always the child of "DC=lop,DC=local". This command will always run against the full _raw field but if you have the DN in a separate field already it might be better to use "rex field= ..."

Link to regex101, which can explain each of the steps: https://regex101.com/r/3H4CO9/3

The first regex is pretty computationally expensive, if your OU structure is strict and the location will always be in the same place, and you don't use commas in any locations this is more efficient:

CN=(?<commonName>[^\,]+)\,OU=.*?\,\s*OU=(?<location>[^\,]+)\,\s*OU=
0 Karma
Highlighted

Re: How to parse and extract OU data

New Member

When trying the second string, received the following error Error in 'SearchParser': Missing a search command before '^'. Error at position '83' of search query 'search sourcetype=ActiveDirectory operatingSystem=...{snipped} {errorcontext = mmonName>[^\,]+)\,OU=}'.

0 Karma
Highlighted

Re: How to parse and extract OU data

Communicator

Here is the fully formatted example with the sample data you provided:

 | makeresults 
 | eval test=" CN=AVB6F9974,OU=Farley PC's, OU=Kansas City, OU=Workstations,DC=lop,DC=local|CN=AVB6F9975,OU=Booth PC's, OU=Scott Building, OU=Workstations,DC=lop,DC=local|CN=KBOD6F9975,OU=Booth PC's, OU=Zale Building, OU=Workstations,DC=lop,DC=local"
 | makemv delim="|" test | mvexpand test
 | eval _raw=test
 | rex "CN=(?<commonName>[^\,]+)\,OU=.*?\,\s*OU=(?<location>[^\,]+)\,\s*OU="
0 Karma
Highlighted

Re: How to parse and extract OU data

New Member

I should have provided more data in my original post. Here are examples of the the entire distinguishedName field data:

CN=KDORSC22PHRR2,OU=Desktops,OU=Taxation,OU=Scott Building,OU=Workstations,DC=kdor,DC=ks,DC=gov
CN=KDORKC9RJFMN2,OU=Booth PC's,OU=Kansas City,OU=Workstations,DC=kdor,DC=ks,DC=gov
CN=RV20013743,OU=Laptops,OU=Legal,OU=Mills Building,OU=Workstations,DC=kdor,DC=ks,DC=gov

0 Karma