Splunk Query related

rupesh67nikam · ‎11-20-2019

I've written below query,

index=* sourcetype=* EventCode=* | rex field=_raw "((Process Command Line:\t)(?(.+)*))" |stats count by field.

Tried extracting "Process Command line" field. After extracting i can see that though it doesn't contain any value(not even spaces), Splunk is not taking it as NULL.Instead it is taking as if field has some command line.

Could you please help?

vikcee · ‎11-21-2019

Please Provide the Sample log, So that we can see if is there any issue with rex or something else.

Normally rex syntax is like below.
(?<Field_Name>Regular_Expression)

gcusello · ‎11-20-2019

Hi @rupesh67nikam,
I cannot read you search, you should insert it in Sample Code.

Anyway, in your regex I see spaces in field name (but could be a visualization error) and it's better not use them.
Then in stats count BY field command, you should use a field name (not field), e.g. something like

| stats count by Process_Command_Line

or

| stats count by "Process Command Line"

Ciao.
Giuseppe

Sukisen1981 · ‎11-20-2019

could you please provide samples of your raw event and what you want to extract out of that?

Splunk Query related

What’s New in Splunk Enterprise 9.4: Tools for Digital Resilience

Get Schooled with Splunk Education: Explore Our Latest Courses

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL