My actual data is 'ProcessName'>C:\Windows\System32\lsass.exe
Wanting to extract the field from C:\Windows\System32\lsass.exe as a field called Process
kindly assist get me a query that fetchs the result as "C:\Windows\System32\lsass.exe" and ignore ProcessName'> And
Give this a try:
...
| rex field=mydata "^.*>(?<Process>.*)$"
This will run anywhere:
| makeresults
| eval mydata="'ProcessName'>C:\Windows\System32\lsass.exe"
| rex field=mydata "^.*>(?<Process>.*)$"
The regular expression will pull out any characters after the ">" and before the end of the string as the Process field.
If the separator between key and value were and =
sign, Splunk would already have figured that out. 🙂
For your problem, though,
... | rex field=Process "'ProcessName'>(?<ProcessName>.*)"
After that you'll have a field named "ProcessName" just like you want.
Happy Splunking,
Rich