topic Re: How to add a column showing search criteria that matched results? in Splunk Search

How to add a column showing search criteria that matched results?

quadrant8 — Thu, 01 Aug 2019 22:30:20 GMT

I'm writing a search to parse the command line arguments of 4688 events, and want to be able to sort by what matched in my search criteria.

The arguments I'm searching for don't have a set order they appear in, so it's a mess to try and write regex to parse what the result hit on.

Is there any way to add a column to the result table that shows what search criteria the result hit on?

Re: How to add a column showing search criteria that matched results?

nabeel652 — Fri, 02 Aug 2019 00:18:00 GMT

can you post your search and the search criteria you are using?

Re: How to add a column showing search criteria that matched results?

begleyj1 — Wed, 30 Sep 2020 02:41:59 GMT

If you have the windows TA, the process command line field should be extracted automatically as the field Process_Command_Line. If not, you can use the rex command and group off of that.

...| rex field=_raw "Process Command Line: (?<Command_Line>[^\n]+)" | stats count by Command_Line