Splunk Query related

rupesh67nikam · ‎11-20-2019

I've written below query,

index=* sourcetype=* EventCode=* | rex field=_raw "((Process Command Line:\t)(?(.+)*))" |stats count by field.

Tried extracting "Process Command line" field. After extracting i can see that though it doesn't contain any value(not even spaces), Splunk is not taking it as NULL.Instead it is taking as if field has some command line.

Could you please help?

vikcee · ‎11-21-2019

Please Provide the Sample log, So that we can see if is there any issue with rex or something else.

Normally rex syntax is like below.
(?<Field_Name>Regular_Expression)

gcusello · ‎11-20-2019

Hi @rupesh67nikam,
I cannot read you search, you should insert it in Sample Code.

Anyway, in your regex I see spaces in field name (but could be a visualization error) and it's better not use them.
Then in stats count BY field command, you should use a field name (not field), e.g. something like

| stats count by Process_Command_Line

or

| stats count by "Process Command Line"

Ciao.
Giuseppe

Sukisen1981 · ‎11-20-2019

could you please provide samples of your raw event and what you want to extract out of that?

Splunk Query related

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Splunk MCP & Agentic AI: Machine Data Without Limits

Join the Conversation

Splunk Query related

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Splunk MCP & Agentic AI: Machine Data Without Limits