Monitoring Splunk

Windows Security logs and USB Monitoring

rduro
New Member

Dear All,

I'm trying to find a way to catch the number 0018F3D97D02BBA0517E001A&0 which before the last backslash.

I put an extract of the line I want to a reg on it.

Object Name:    \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\USBSTOR\Disk&Ven_Kingston&Prod_DT_R500&Rev_PMAP\0018F3D97D02BBA0517E001A&0

The reg command I used is the following:

| rex field=_raw "USBSTOR.*_(?<USBID>......?)"|

I just want to extract all data after the last backslash.

Please help,

Best regards,

Raph

Tags (2)
0 Karma

Ayn
Legend

If that code is the last text in the event, how about:

| rex "(?<USBID>[^\\]+)$"
Get Updates on the Splunk Community!

Unlock New Opportunities with Splunk Education: Explore Our Latest Courses!

At Splunk Education, we’re dedicated to providing top-tier learning experiences that cater to every skill ...

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

In today's digital financial ecosystem, security teams face an unprecedented challenge. The sheer volume of ...