Splunk Search

Regex Help Needed

Path Finder

I am not an expert with regex and I am trying to extract a field name= First, Last out of the following string

user=LDAP://Server OU=Typical,OU=Users,OU=Branch,DC=domain,DC=com/First\, Last

Any help is appreciated

Tags (1)
0 Karma
1 Solution

SplunkTrust
SplunkTrust

This should do it.

... | rex "DC=\w+\/(?<name>[^\\]+)\\, (?<last>\w+)" | ...

BTW, regex101.com is your friend. 😉

---
If this reply helps you, an upvote would be appreciated.

View solution in original post

0 Karma

Communicator

I would extract it as two separate fields like this:

DC\=com\/(?<first>[^\\]*)\\\,\s*(?<last>[^\$]*)

and than create a calculated field user that puts them together, that way you can search efficiently on the complete name or on the first or last name.

0 Karma

SplunkTrust
SplunkTrust

This should do it.

... | rex "DC=\w+\/(?<name>[^\\]+)\\, (?<last>\w+)" | ...

BTW, regex101.com is your friend. 😉

---
If this reply helps you, an upvote would be appreciated.

View solution in original post

0 Karma

Path Finder

Thanks all! All of your answers were helpful and let me accomplish what I was looking for.

0 Karma

Path Finder

Is there an efficient way to extract the two values to one field ? Lets say User(name, last) ? Or should the fields be merged after being extracted?

0 Karma

SplunkTrust
SplunkTrust

Well, sort of but you get the yucky stuff in the middle.

DC=\w+\/(?<name>[^\\]+\\, \w+)

That would give you First\, Last which is ... probably not quite what you desire. You can't split a single field up like what you want... no, you can't combine two individual things into one field? Either way, I'm not aware of a way to do that, so just combine 'em at the end.

 ... | rex "DC=\w+\/(?<name>[^\\]+)\\, (?<last>\w+)" | eval FullName=name." ".last | ...

There's a zillion ways to accomplish that, but if I didn't fat finger it there's one. It's fragile, though - if you have an event without a first name, well, you'll not have a FullName either. 🙂 More help can be given if required, but if it works for your needs then it's probably good enough.

If this or the other answer resolves your needs (you can apply my mini-extra-solution to either!), could you please mark one as the answer to help everyone else who stumbles across this answer later?

0 Karma

Explorer

Hi Rich,

I was able to understand the regex except the point where we added [^\] after name capturing. The other character '\' after First could be understood to be escaped properly but why [^\]

Thanks !

0 Karma

SplunkTrust
SplunkTrust

I read the '\' as a delimiter rather than an escaped comma. Try this regex to get the entire name in one field.

... | rex "DC=\w+\/(?<name>[\w, \\]+)" | ...

This will probably leave the escaped comma in the name field. I've been unsuccessful removing it.

---
If this reply helps you, an upvote would be appreciated.
0 Karma

Path Finder

that works but it also captures "\" after name and before the comma so it look like "name\, last" any way of removing "\" ?

0 Karma

SplunkTrust
SplunkTrust

Like I said in my last comment, I've been unsuccessful at removing the '\'. I just tried something else that worked. Add this after the above rex command.

| rex field=name mode=sed "s/\\\//g" | ...
---
If this reply helps you, an upvote would be appreciated.
0 Karma