Hello
Im trying to run this query from Splunk API and getting this error:
'rex' is not recognized as an internal or external command,
operable program or batch file.
Can you help me please?
"index=wineventlog sourcetype=\"WinEventLog:Security\" (EventCode=4698 OR EventCode=4702) *ADDC*\n| where LIKE(Account_Name,\"%$\")\n| eval operation=(if(EventCode==4698,\"new\",\"update\"))\n| rex field=Message \"<Command>(?<Command>[^\\;]+)</Command>\"\n| rex field=Message \"<Arguments>(?<Arguments>[^\\;]+)</Arguments>\"\n| rex field=Message \"<UserId>(?<UserId>[^\\;]+)</UserId>\"\n| where !LIKE(Command,\"%sc.exe\")\n| where !LIKE(Command,\"%usoclient.exe\")\n| where !LIKE(Command,\"%ceipdata.exe\")\n| where !LIKE(Command,\"%OfficeC2RClient.exe\")\n| where !LIKE(Command,\"%rundll32.exe\")\n| where !LIKE(Command,\"%wermgr.exe\")\n| where !LIKE(Command,\"%MusNotification.exe\")\n| where !LIKE(Command,\"%MpCmdRun.exe\")\n| where !LIKE(Command,\"%SymErr.exe\")\n| eval user=case(UserId==\"S-1-5-18\",\"Local System\",UserId==\"S-1-5-19\",\"Local Service\",UserId==\"S-1-5-20\",\"Network Service\",true(),UserId)\n| stats values(Task_Name) as taskname values(operation) as event by _time Account_Name Command Arguments user\n| sort - _time"
