Splunk Search

Remove CN= string and the rest from my search results

jnahuelperez35
Path Finder

Hi guys!

I'm loking for a search like this:

source="WinEventLog:Security" name = "A member *group*" Group_Name="*admin*" |
table _time src_user user Group_Name name

The search works great! the problem are the results, the "user" Column give me something like this:

CN=MyUserDomain,OU=SomeOrgUnit,OU=SomeOrgUnit,OU=SomeOrgUnit,OU=SomeOrgUnit,OU=SomeOrgUnit,DC=com,DC=net

I only wants to get "MyUserDomain". Is there anyway? I tried with eval user = trim(replace(user, "CN=", "")) but it only removes the first part of the string

Thanks a Lot!

Nahuel

0 Karma
1 Solution

somesoni2
Revered Legend

Try this

source="WinEventLog:Security" name = "A member *group*" Group_Name="*admin*" |
 table _time src_user user Group_Name name |
 eval user=replace(user,"CN=([^,]+),.+","\1")

View solution in original post

somesoni2
Revered Legend

Try this

source="WinEventLog:Security" name = "A member *group*" Group_Name="*admin*" |
 table _time src_user user Group_Name name |
 eval user=replace(user,"CN=([^,]+),.+","\1")

jnahuelperez35
Path Finder

Thanks a Lot! where can i learn more about regular expressions codification like this?

Again, thanks!

Nahuel

0 Karma

GnanasekarP
New Member

Hi jnahuelperez, As our friend send you them in Splunk documentation if need detail explanation, I have learned from this links i hope this helps you: https://dzone.com/articles/starting-with-regular-expression-in-splunk & https://mindmajix.com/splunk

0 Karma

somesoni2
Revered Legend

Splunk provides some level of information about REGEX that you can use here
https://docs.splunk.com/Documentation/Splunk/6.5.3/Knowledge/AboutSplunkregularexpressions

If you google you can definitely find some external resources like this
http://www.learnsplunk.com/splunk-regex-tutorial.html

For practicing/testing, I use https://regex101.com/ site.

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...