Field extraction

thiru1 · ‎04-08-2019

My actual data is 'ProcessName'>C:\Windows\System32\lsass.exe
Wanting to extract the field from C:\Windows\System32\lsass.exe as a field called Process
kindly assist get me a query that fetchs the result as "C:\Windows\System32\lsass.exe" and ignore ProcessName'> And

grittonc · ‎04-08-2019

Give this a try:

   ... 
| rex field=mydata "^.*>(?<Process>.*)$"

This will run anywhere:

| makeresults 
| eval mydata="'ProcessName'>C:\Windows\System32\lsass.exe"
| rex field=mydata "^.*>(?<Process>.*)$"

The regular expression will pull out any characters after the ">" and before the end of the string as the Process field.

Richfez · ‎04-08-2019

If the separator between key and value were and = sign, Splunk would already have figured that out. 🙂

For your problem, though,

... | rex field=Process "'ProcessName'>(?<ProcessName>.*)"

After that you'll have a field named "ProcessName" just like you want.

Happy Splunking,
Rich

Field extraction

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation

Field extraction

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future