topic Re: Need to write both rex and regex in Splunk Search

Need to write both rex and regex

vishwanadhan_mu — Mon, 01 Jul 2019 06:33:42 GMT

"C:\Users\TestUser\AppData\Local\Microsoft\Teams\Update.exe" --processStart "Teams.exe" --process-start-args "--system-initiated"

Could someone help me writing regex and rex to extract field(which is a process) name after --processStart .

Next I'll filter out filed name which I don't want match.

Thanks in Advance

Re: Need to write both rex and regex

vnravikumar — Mon, 01 Jul 2019 06:43:56 GMT

Try this

| makeresults 
| eval temp="\"C:\Users\TestUser\AppData\Local\Microsoft\Teams\Update.exe\" --processStart \"Teams.exe\" --process-start-args \"--system-initiated\"" 
| rex field=temp "--processStart\s\"(?P<processname>[^--]+)\""

Re: Need to write both rex and regex

jawaharas — Mon, 01 Jul 2019 06:52:57 GMT

Try this.

Field extracted using space as delimiter.

| makeresults 
 | eval input="\"C:\Users\TestUser\AppData\Local\Microsoft\Teams\Update.exe\" --processStart \"Teams.exe\" --process-start-args \"--system-initiated\"" 
 | rex field=input "^(?:[^\s]* ){2}\"(?<process>[^ ]+)\""

Re: Need to write both rex and regex

vishwanadhan_mu — Mon, 01 Jul 2019 07:02:09 GMT

This worked. Thanks a lot

Re: Need to write both rex and regex

vishwanadhan_mu — Mon, 01 Jul 2019 07:03:50 GMT

This too worked for me. Thanks a lot.

Re: Need to write both rex and regex

vishwanadhan_mu — Mon, 01 Jul 2019 07:14:59 GMT

If you don't mind can you explain me [^--]+)\"" this part

Re: Need to write both rex and regex

vnravikumar — Mon, 01 Jul 2019 07:18:40 GMT

I mentioned to extract from processStart to before --