https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-search-for-certain-events-within-raw-data/m-p/314806#M94220 <P>thx iventsekar,</P> <PRE><CODE>index=main base-search "C:\\Windows\\explorer" </CODE></PRE> <P>this was good enough, I didn't know about the \ , that was probably the reason I couldn't get any results, but it works now, thank you</P> Wed, 18 Oct 2017 07:04:16 GMT ecanmaster 2017-10-18T07:04:16Z https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-search-for-certain-events-within-raw-data/m-p/314800#M94214 <P>Would it be possible to search for certain events within the raw data?<BR /> For example, I need to find events with C:\Windows\explorer.exe</P> <P>I used | extract kvdelim=":\t" pairdelim="\n" on the raw events, but its not parsing the field that I wanted,<BR /> so I used rex to get the field parsed and this worked, bu then I couldn't do any searches on the field, because I need to adjust fields.conf or something like that, so instead of creating fields, I was wondering if we could straight search for the events with Rex?</P> <P>Or maybe eval would be better command to create field and search for events within a field?</P> Tue, 17 Oct 2017 09:57:28 GMT https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-search-for-certain-events-within-raw-data/m-p/314800#M94214 ecanmaster 2017-10-17T09:57:28Z https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-search-for-certain-events-within-raw-data/m-p/314801#M94215 <P>you want to list down the events which contains the string "C:\Windows\explorer.exe" or you want to extract this or similar paths from the events.. please clarify.. maybe post some sample events. </P> Tue, 17 Oct 2017 10:02:32 GMT https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-search-for-certain-events-within-raw-data/m-p/314801#M94215 inventsekar 2017-10-17T10:02:32Z https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-search-for-certain-events-within-raw-data/m-p/314802#M94216 <P>just events containing this string in the raw data: "C:\Windows\explorer.exe"</P> Tue, 17 Oct 2017 10:06:57 GMT https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-search-for-certain-events-within-raw-data/m-p/314802#M94216 ecanmaster 2017-10-17T10:06:57Z https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-search-for-certain-events-within-raw-data/m-p/314803#M94217 <P>just you can include the C:\Windows\explorer.exe as a search string with "\" escaped - <BR /> <CODE>index=main base-search "C:\\Windows\\explorer"</CODE></P> Tue, 17 Oct 2017 10:21:25 GMT https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-search-for-certain-events-within-raw-data/m-p/314803#M94217 inventsekar 2017-10-17T10:21:25Z https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-search-for-certain-events-within-raw-data/m-p/314804#M94218 <P>just you can include the C:\Windows\explorer.exe as a search string with "\" escaped - <BR /> <CODE>index=main base-search "C:\\Windows\\explorer"</CODE></P> <P>if regex is needed, <BR /> <CODE>base-search | regex _raw="C:\\\Windows\\\explorer\.exe</CODE><BR /> <span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/3683i6793DB54166F10FB/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> Tue, 17 Oct 2017 10:34:03 GMT https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-search-for-certain-events-within-raw-data/m-p/314804#M94218 inventsekar 2017-10-17T10:34:03Z https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-search-for-certain-events-within-raw-data/m-p/314805#M94219 <P>@ecanmaster, if the answer looks good, can you please accept the answer, thanks.</P> Tue, 17 Oct 2017 11:29:44 GMT https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-search-for-certain-events-within-raw-data/m-p/314805#M94219 inventsekar 2017-10-17T11:29:44Z https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-search-for-certain-events-within-raw-data/m-p/314806#M94220 <P>thx iventsekar,</P> <PRE><CODE>index=main base-search "C:\\Windows\\explorer" </CODE></PRE> <P>this was good enough, I didn't know about the \ , that was probably the reason I couldn't get any results, but it works now, thank you</P> Wed, 18 Oct 2017 07:04:16 GMT https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-search-for-certain-events-within-raw-data/m-p/314806#M94220 ecanmaster 2017-10-18T07:04:16Z