Solved: Regex or rex LDAP extraction

ccsfdave · ‎01-30-2015

I keep trying to figure things out myself but my head is getting bruised from hitting it against my desk...

I am trying to extract the CN from LDAP however I cannot seem to get it right. Here are a few sanitized examples from our LDAP:

CN=Montana\, Joe,OU=FortyNiners,OU=sfPlayers,DC=AD,DC=SF49ERS,DC=COM
CN=Learning Center Group (LIB),OU=FortyNiners,OU=LIB,OU=sfInfrastructure,DC=AD,DC=SF49ERS,DC=COM
CN=Bumgardner\, Madison,OU=Giants,OU=sfPlayers,DC=AD,DC=SFGiants,DC=COM
CN=Rice\, Jerry,OU=FortyNiners,OU=sfPlayers,DC=AD,DC=SF49ERS,DC=COM
CN=SFO-SFPD Airport TSA Officers,OU=Exchange Distribution Groups,OU=TSA,OU=sfPeople,DC=AD,DC=GOV,DC=ORG
CN=TSAGtw,CN=123-A415N628R6YUP,OU=Workstations,OU=TSA,OU=sfDevices,DC=AD,DC=GOV,DC=ORG

Note that the second line has the acronym in parenthesis and the last line has two CNs. I am trying to capture the CN data into a new field which would result in:

Montana\, Joe
Learning Center Group (LIB)
Bumgardner\, Madison
Rice\, Jerry
SFO-SFPD Airport TSA Officers
TSAGtw,123-A415N628R6YUP

Extra credit would be if I can not match the "\," in the middle of the CNs but can live with them if need be.

Please if anyone can help...

Thanks.

Dave

srioux · ‎01-30-2015

You can use in-line rex to do that. In terms of processing, can use in-line rex w/ sed mode.

<base searchy> | rex "CN=(?<cn>.*?),OU=" | rex mode=sed field=cn "s/\\\|,| |CN=/ /g"

There may be easier ways to do this, but this should work.

View solution in original post

jkat54 · ‎05-15-2018

You might want to get other things in there like the OU...

Here's an example of having multiple OU in the path, but extracting them separately as needed:

| makeresults count=1 
| eval abc="CN=xxxxxxxx,OU=unit,OU=city,OU=group,DC=company,DC=com" 
| makemv abc delim=","
| eval cn=mvindex(abc,0)
| eval unit=mvindex(abc,1) 
| eval city=mvindex(abc,2) 
| eval group=mvindex(abc,3)
| eval domain=mvindex(abc,4)
| eval tld=mvindex(abc,5)

Or maybe:

| makeresults count=1 
| eval _raw="CN=xxxxxxxx,OU=unit,OU=city,OU=group,DC=company,DC=com" 
| extract limit=0 mv_add=true 
| mvexpand OU         <-  or table OU to see what you get

MartinMcNutt · ‎01-30-2015

Install the Splunk Supporting Add-on for Active Directory and issue an ldapsearch to pull in the CN from the account.

Yes you can use REGEX to try and build the CN but go through the exercise of using ldapsearch ldapfetch etc and you will see how easy it is to bring your data to life.

These commands are hidden gems, especially when you are dealing with applications that have been around awhile. I had an issue with event log that only contains legacy exchange DN (So 1999s) but I need to know who it was. Just create an ldap search and splunk will bring in what ever attribute you want.

srioux · ‎01-30-2015

You can use in-line rex to do that. In terms of processing, can use in-line rex w/ sed mode.

<base searchy> | rex "CN=(?<cn>.*?),OU=" | rex mode=sed field=cn "s/\\\|,| |CN=/ /g"

There may be easier ways to do this, but this should work.

ccsfdave · ‎01-30-2015

Wow that is freaking brilliant! I need to digest this a little but wow!

Hey, is there any other magic we can pull off in case it finds the two CNs on the same line so we can distinguish them as separate? Maybe some kind of if - then - else?

Thanks so much!

Regex or rex LDAP extraction

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...