Splunk Search

How do I write the regex to extract the Application Name from my sample raw logs?

pdumblet
Explorer

I have the following results from my search. I am trying to extract the Application Name from the raw log using the following regex, but it is not working. Any suggestions?

index=symantec PAC-20.2 user=SYSTEM | rex field=_raw ",C\:\/WINDOWS\/ (?.*) + ,0,"

Sample data:

Jul  8 10:44:06 USALSEPP1 SymantecServer: USGE58122D,Blocked,Prevent modification of system files - Caller MD5=e13f5091775bc35a844faff0de246016,File Write,Begin: 2016-07-08 10:42:51,End: 2016-07-08 10:42:51,Rule: [PAC-20.2] - Prevent modification of system files | [PAC-20.2.1] Prevent modification of system files,1660,C:/Windows/System32/spoolsv.exe,0,No Module Name,C:/Windows/System32/spool/SERVERS/USGEPRINTP01.perrigo.com,User: SYSTEM,Domain: LPCDOMAIN1,Action Type: ,File size (bytes): 0,Device ID: IDE\DiskST320LT020-9YG142_______________________0003LVM1\4&4a6dd28&0&0.0.0

Jul  8 10:35:26 USALSEPP1 SymantecServer: USGE58190D,Blocked,Prevent modification of system files - Caller MD5=5879d691e842574a20fe63817cb76df9,File Write,Begin: 2016-07-08 08:03:27,End: 2016-07-08 08:03:27,Rule: [PAC-20.2] - Prevent modification of system files | [PAC-20.2.1] Prevent modification of system files,5144,C:/WINDOWS/system32/msiexec.exe,0,No Module Name,C:/WINDOWS/CCM/AppVHandler.dll,User: SYSTEM,Domain: LPCDOMAIN1,Action Type: ,File size (bytes): 347320,Device ID: IDE\DiskHGST_HTS545032A7E380____________________GGBZBF40\4&4a6dd28&0&0.0.0
0 Karma
1 Solution

sundareshr
Legend

Try this

... | rex "C:\/W(INDOWS|indows)(?<appname>[^,]+)" | table appname

View solution in original post

0 Karma

sundareshr
Legend

Try this

... | rex "C:\/W(INDOWS|indows)(?<appname>[^,]+)" | table appname
0 Karma

pdumblet
Explorer

Thank you Sundareshr

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...