How to add a column showing search criteria that m...

quadrant8 · ‎08-01-2019

I'm writing a search to parse the command line arguments of 4688 events, and want to be able to sort by what matched in my search criteria.

The arguments I'm searching for don't have a set order they appear in, so it's a mess to try and write regex to parse what the result hit on.

Is there any way to add a column to the result table that shows what search criteria the result hit on?

begleyj1 · ‎10-24-2019

If you have the windows TA, the process command line field should be extracted automatically as the field Process_Command_Line. If not, you can use the rex command and group off of that.

...| rex field=_raw "Process Command Line: (?<Command_Line>[^\n]+)" | stats count by Command_Line

nabeel652 · ‎08-01-2019

can you post your search and the search criteria you are using?

How to add a column showing search criteria that matched results?

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you a member of the Splunk Community?

How to add a column showing search criteria that matched results?

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem