I have some strings like below returned by my splunk base search:
"CN=aa,OU=bb,DC=cc,DC=dd,DC=ee"
"CN=xx,OU=bb,DC=cc,DC=yy,DC=zz"
"CN=ff,OU=gg,OU=hh,DC=ii,DC=jj"
"CN=kk,DC=ll,DC=mm"
Note: CN,OU,DC could be 0 or many.
My ultimate goal is to find all OUs something like below.
(The combinations also need to be unique.)
(All blank lines can be excluded.)
eg:
bb (blank)
gg hh
(blank) (blank)
The query that am using currently is very naive.
Plus it is not generic.
It will work if atleast one of my split results into 5 parts (0,1,2,3,4).
But, it will not work and give blank results if none of my split results into 5 parts (0,1,2,3,4) i.e. all of them result in less than 5 parts.
index=xx sourcetype=yy
| fields s
| rex field=s mode=sed "s/,DC=.*//g"
| eval temp=split(s,",OU=")
| eval a=mvindex(temp,1)
| eval b=mvindex(temp,2)
| eval c=mvindex(temp,3)
| eval d=mvindex(temp,4)
| dedup a b c d
| table a,b,c,d
How to make it generic i.e. get the count of split and make fields as per maximum split length?
... View more