I have the following results from my search. I am trying to extract the Application Name from the raw log using the following regex, but it is not working. Any suggestions?
index=symantec PAC-20.2 user=SYSTEM | rex field=_raw ",C\:\/WINDOWS\/ (?.*) + ,0,"
Sample data:
Jul 8 10:44:06 USALSEPP1 SymantecServer: USGE58122D,Blocked,Prevent modification of system files - Caller MD5=e13f5091775bc35a844faff0de246016,File Write,Begin: 2016-07-08 10:42:51,End: 2016-07-08 10:42:51,Rule: [PAC-20.2] - Prevent modification of system files | [PAC-20.2.1] Prevent modification of system files,1660,C:/Windows/System32/spoolsv.exe,0,No Module Name,C:/Windows/System32/spool/SERVERS/USGEPRINTP01.perrigo.com,User: SYSTEM,Domain: LPCDOMAIN1,Action Type: ,File size (bytes): 0,Device ID: IDE\DiskST320LT020-9YG142_______________________0003LVM1\4&4a6dd28&0&0.0.0
Jul 8 10:35:26 USALSEPP1 SymantecServer: USGE58190D,Blocked,Prevent modification of system files - Caller MD5=5879d691e842574a20fe63817cb76df9,File Write,Begin: 2016-07-08 08:03:27,End: 2016-07-08 08:03:27,Rule: [PAC-20.2] - Prevent modification of system files | [PAC-20.2.1] Prevent modification of system files,5144,C:/WINDOWS/system32/msiexec.exe,0,No Module Name,C:/WINDOWS/CCM/AppVHandler.dll,User: SYSTEM,Domain: LPCDOMAIN1,Action Type: ,File size (bytes): 347320,Device ID: IDE\DiskHGST_HTS545032A7E380____________________GGBZBF40\4&4a6dd28&0&0.0.0
Try this
... | rex "C:\/W(INDOWS|indows)(?<appname>[^,]+)" | table appname
Try this
... | rex "C:\/W(INDOWS|indows)(?<appname>[^,]+)" | table appname
Thank you Sundareshr