Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Field extraction

thiru1
Engager
‎04-08-2019 02:32 AM

My actual data is 'ProcessName'>C:\Windows\System32\lsass.exe
Wanting to extract the field from C:\Windows\System32\lsass.exe as a field called Process
kindly assist get me a query that fetchs the result as "C:\Windows\System32\lsass.exe" and ignore ProcessName'> And

Tags (1)
Reply

grittonc
Contributor
‎04-08-2019 05:40 AM

Give this a try: 

   ... 
| rex field=mydata "^.*>(?<Process>.*)$"

This will run anywhere:

| makeresults 
| eval mydata="'ProcessName'>C:\Windows\System32\lsass.exe"
| rex field=mydata "^.*>(?<Process>.*)$"

The regular expression will pull out any characters after the ">" and before the end of the string as the Process field.

0 Karma
Reply

Richfez
SplunkTrust
SplunkTrust
‎04-08-2019 05:34 AM

If the separator between key and value were and = sign, Splunk would already have figured that out. 🙂

For your problem, though, 

... | rex field=Process "'ProcessName'>(?<ProcessName>.*)"

After that you'll have a field named "ProcessName" just like you want.

Happy Splunking,
Rich

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...