Hello,
I have these events where I want to extract a filename. Right now, none of the fields capture the Filename("this is what i want to capture") as a field. Using the regex or delimiter generators from Splunk to produce a new field are not giving me good results, so I believe it is best to write one.
Basically, what i want is the information inside the quotes of FileName("") for each event. I indicate it with a red line.
Try this:
YOUR SEARCH|rex "Filename\(\"(?<my_filename>[^\"]+)"
This should create a new file called my_filename
Try this:
YOUR SEARCH|rex "Filename\(\"(?<my_filename>[^\"]+)"
This should create a new file called my_filename
Thank you! works