topic Re: Why does this field extraction and rex give different results? in Splunk Search

Why does this field extraction and rex give different results?

tfilip — Tue, 10 May 2022 20:21:39 GMT

I'm completely stuck here. I'm trying to extract the "Path" from a logfile with this format:

Time: 05/10/2022 11:26:53 Event: Traffic IP Address: xxxxxxxxxx Description: HOST PROCESS FOR WINDOWS SERVICES Path: C:\Windows\System32\svchost.exe Message: Blocked Incoming UDP - Source xxxxxxxxxx : (xxxx) Destination xxxxxxxxxx : (xxxxx) Matched Rule: Block all traffic

using this regex

((Path:\s{1,2})(?<fwpath>.+))

It does exactly what I want when I use rex, it extracts the path as "fwpath". However, when I do it as a field extraction, it matches the rest of the log entry. Why is it behaving differently for these two?

Re: Why does this field extraction and rex give different results?

ITWhisperer — Tue, 10 May 2022 22:39:42 GMT

Try this

((Path:\s{1,2})(?<fwpath>\S+))

Re: Why does this field extraction and rex give different results?

tfilip — Wed, 11 May 2022 15:06:40 GMT

That (almost) did it! I had to replace \S with \N so that it wouldn't stop at spaces in paths, like "C:\Program Files".

Thanks much!