Splunk Search

Field extraction of similiar field across multiple line from Powershell logs

Explorer

Hi, i was hoping to extract all the fields after "CommandInvocation" that appears in the PS log but i wasnt able to extract properly. Does anyone have any idea?

My rex as follow: "(\n)+CommandInvocation((?.+))"

Sample:
Oct 10 10:10:10 1.1.1.1 Hostname INFO 4103 Hostname\user CommandInvocation(Stop-AgentJob): "Stop-AgentJob"
CommandInvocation(Format-List): "Format-List"
CommandInvocation(Out-String): "Out-String"

Expectation of field:
Stop-AgentJob
Format-List
Out-String

Tags (2)
0 Karma
1 Solution

Ultra Champion
| stats count
| eval _raw="Oct 10 10:10:10 1.1.1.1 Hostname INFO 4103 Hostname\\user CommandInvocation(Stop-AgentJob): \"Stop-AgentJob\"
CommandInvocation(Format-List): \"Format-List\"
CommandInvocation(Out-String): \"Out-String\""
| rex max_match=10 "\bCommandInvocation\((?<yourField>[^\)]+)"

Hi, try max_match option.

View solution in original post

0 Karma

Ultra Champion
| stats count
| eval _raw="Oct 10 10:10:10 1.1.1.1 Hostname INFO 4103 Hostname\\user CommandInvocation(Stop-AgentJob): \"Stop-AgentJob\"
CommandInvocation(Format-List): \"Format-List\"
CommandInvocation(Out-String): \"Out-String\""
| rex max_match=10 "\bCommandInvocation\((?<yourField>[^\)]+)"

Hi, try max_match option.

View solution in original post

0 Karma

Explorer

thanks! max_match work like a charm

0 Karma