Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Field extraction

thiru1
Engager
‎04-08-2019 02:32 AM

My actual data is 'ProcessName'>C:\Windows\System32\lsass.exe
Wanting to extract the field from C:\Windows\System32\lsass.exe as a field called Process
kindly assist get me a query that fetchs the result as "C:\Windows\System32\lsass.exe" and ignore ProcessName'> And

Tags (1)
Reply

grittonc
Contributor
‎04-08-2019 05:40 AM

Give this a try: 

   ... 
| rex field=mydata "^.*>(?<Process>.*)$"

This will run anywhere:

| makeresults 
| eval mydata="'ProcessName'>C:\Windows\System32\lsass.exe"
| rex field=mydata "^.*>(?<Process>.*)$"

The regular expression will pull out any characters after the ">" and before the end of the string as the Process field.

0 Karma
Reply

Richfez
SplunkTrust
SplunkTrust
‎04-08-2019 05:34 AM

If the separator between key and value were and = sign, Splunk would already have figured that out. 🙂

For your problem, though, 

... | rex field=Process "'ProcessName'>(?<ProcessName>.*)"

After that you'll have a field named "ProcessName" just like you want.

Happy Splunking,
Rich

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...