Creating a Splunk Alert Pulling important information from a field using Regex

Question

I am creating a Splunk alert for Active Directory events when anything gets moved. I am having troubles with implementing regex on the search.

So I created a regex like this:

=(\b\w+.\w?.?.?\w+\s?\w+),(?:.?.?.?)(\w+\s?\w+),(?:.?.?.?)(\w+\s?\w+),(?:.?.?.?)(\w+\s?\w+) 

It's not really working like I would like to. The sample data I am working with looks like this:

CN=User Test,OU=Admins,OU=Users,OU=Test,OU=12Test Test,DC=test,DC=test12,DC=test,DC=test
CN=User T. Test ADM,OU=Users,OU=Test,OU=Test,DC=test12,DC=test,DC=abc,DC=test

The issue is I need to ignore CN= and the OU= and only get the strings afterwards with ignoring anything after DC= and extract those values as a variable or an accessible string.

For Example I'd want my output to look like this in the alert

User Account <CN= String> moved from <12Test> <Test> <Users>

Answer 1

when extract the desired information from your sample data in Splunk using regular expressions (regex), you can use Splunk's rex command. Here's a Splunk search query that will help you achieve the desired output:

index=your_index sourcetype=your_sourcetype
| rex field=_raw "CN=(?<cn>[^,]+),OU=(?<ou>[^,]+),OU=(?<ou>[^,]+),OU=(?<ou>[^,]+),DC=(?<dc>[^,]+),DC=(?<dc>[^,]+),DC=(?<dc>[^,]+),DC=(?<dc>[^,]+)"
| eval message="User Account <CN= $cn$> moved from <$ou$>"
| table message

The reason why is this is explanation index=your_index sourcetype=your_sourcetype: Replace your_index and your_sourcetype with the appropriate values to specify the index and sourcetype of your Active Directory events.

rex field=_raw ...: This command uses the rex command to perform regular expression extraction on the _raw field, which typically contains the raw log data.

The regex pattern "CN=(?<cn>[^,]+),OU=(?<ou>[^,]+),OU=(?<ou>[^,]+),OU=(?<ou>[^,]+),DC=(?<dc>[^,]+),DC=(?<dc>[^,]+),DC=(?<dc>[^,]+),DC=(?<dc>[^,]+)" captures the values following CN=, OU=, and DC= in your log data. It creates named capture groups (cn, ou, and dc) for each of these values.

eval message="User Account <CN= $cn$> moved from <$ou$>": This eval command creates a new field called message where you can format the output message as desired. It includes the extracted values from the named capture groups.

table message: This command selects only the message field for display in the search results.

After running this Splunk search query, the output should provide you with the desired format, where "User Account" is followed by the CN value and "moved from" is followed by the OU values.