Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to add a column showing search criteria that matched results?

quadrant8
New Member
‎08-01-2019 03:30 PM

I'm writing a search to parse the command line arguments of 4688 events, and want to be able to sort by what matched in my search criteria.

The arguments I'm searching for don't have a set order they appear in, so it's a mess to try and write regex to parse what the result hit on.

Is there any way to add a column to the result table that shows what search criteria the result hit on?

0 Karma
Reply

begleyj1
Path Finder
‎10-24-2019 05:29 PM

If you have the windows TA, the process command line field should be extracted automatically as the field Process_Command_Line. If not, you can use the rex command and group off of that. 

...| rex field=_raw "Process Command Line: (?<Command_Line>[^\n]+)" | stats count by Command_Line
0 Karma
Reply

nabeel652
Builder
‎08-01-2019 05:18 PM

can you post your search and the search criteria you are using?

0 Karma
Reply
Get Updates on the Splunk Community!

Take the 2021 Splunk Career Survey for $50 in Amazon Cash

Help us learn about how Splunk has impacted your career by taking the 2021 Splunk Career Survey. Last year’s ...

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...

Observability Newsletter Highlights | March 2023

 March 2023 | Check out the latest and greatestSplunk APM's New Tag Filter ExperienceSplunk APM has updated ...