I confirm that your rex example extract the field OU | rex field=ObjectD match=0 "OU\\s*=\s*(?<OU>\w+)" But I have another problem The field ObjectDN looks like this (OU=Toto,OU=Titi,OU=Admin,DC=abc,DC=efg) In my where clause, I need to filter events when the condition is true For example, below, I need to filter the events where OU=Admin | where match(ObjectD,"OU=Admin),DC=abc") So you rex command below extract correctly the OU but it's not the good OU If my field ObjectDN is like this (OU=Toto,OU=Titi,OU=Admin,DC=abc,DC=efg), the OU field extracted is "Toto" while I need to extract "Admin" only because OU=Toto is at the first place in the field ObkectDN It means that the OU extracted is always the first OU item in the ObjectDN If my field to extract the OU "Admin" the ObjectDN field would be this one (OU=AdminOU=Titi,OU=Toto,DC=abc,DC=efg) So is there a way to extract the OU corresponding to the where clause no matter is position in the field ObjectName please?
... View more