Field extraction

thiru1 · ‎04-08-2019

My actual data is 'ProcessName'>C:\Windows\System32\lsass.exe
Wanting to extract the field from C:\Windows\System32\lsass.exe as a field called Process
kindly assist get me a query that fetchs the result as "C:\Windows\System32\lsass.exe" and ignore ProcessName'> And

grittonc · ‎04-08-2019

Give this a try:

   ... 
| rex field=mydata "^.*>(?<Process>.*)$"

This will run anywhere:

| makeresults 
| eval mydata="'ProcessName'>C:\Windows\System32\lsass.exe"
| rex field=mydata "^.*>(?<Process>.*)$"

The regular expression will pull out any characters after the ">" and before the end of the string as the Process field.

Richfez · ‎04-08-2019

If the separator between key and value were and = sign, Splunk would already have figured that out. 🙂

For your problem, though,

... | rex field=Process "'ProcessName'>(?<ProcessName>.*)"

After that you'll have a field named "ProcessName" just like you want.

Happy Splunking,
Rich

Field extraction

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

Are you a member of the Splunk Community?

Field extraction

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...