Splunk Search

How to extract 'program.exe -switch' from the log and create new field to display with table command

nnaik
Explorer

Hey guys,

I have a log that contains a lot of data but from that, I want to extract 'program.exe -switch' from the log and create a new field that I can display with table command. I have regex ready and confirmed on regex101.com. But I tried some of the below in my search and no luck. I've looked up rex command and examples on answers.splunk.com as well. But not sure how I can use rex command in this case.

....regex cmd="/^(\s\w\D*.\D*\s\D*\d)$/" | table cmd
....regex cmd="\s\w\D*.\D*\s\D*\d" | table cmd
....regex cmd="\s\w\D*.\D*\s\D*\d" | table cmd

Any ideas how I can get this data?

0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

This may be too simplistic of an answer, but I think it addresses the question. Your regular expression is far too complex for the string you say you want to find.

<your search> | rex "(?<cmd>program\.exe -switch property)" | table cmd

If your needs are more complex than this then please edit your question to add more detail.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

nnaik
Explorer

Thank you all!

Rich Galloway, Your solution works. Thank you! Essentially, I wanted to extract just specific data from logs and create table of this extracted data only so that my reports are clean looking. Only change I made is put \w in beginning of each word so if someone typed caps or lowercase, it would be captured.

| rex "(?\wrogram.exe -\wwitch \wroperty)" | table cmd

Thanks again!

0 Karma

richgalloway
SplunkTrust
SplunkTrust

This may be too simplistic of an answer, but I think it addresses the question. Your regular expression is far too complex for the string you say you want to find.

<your search> | rex "(?<cmd>program\.exe -switch property)" | table cmd

If your needs are more complex than this then please edit your question to add more detail.

---
If this reply helps you, Karma would be appreciated.

gcusello
SplunkTrust
SplunkTrust

Hi nnaik,
the regex command is to search for a regex, if you want to extract a field from a log you have to use the rex command.
If you could share a sample of your data I could be more detailed, but you should try something like this (you can test it on regex101):

your_search
| rex "^(?<cmd>\s\w\D*\.\D*\s\D*\d)" 
| table cmd

Bye.
Giuseppe

nnaik
Explorer

Thank you Giuseppe for getting back but this does not work.

Essentially, eventlogs come with lots of data and I could create table from that data but it is not really clean. I want to be able to grep exactly what I want per alert. So in this case, for example, I want to grep only 'program.exe -switch property', that way I know who is running what. The Regex I have will grab this but just dont know how to get this in splunk.

So I tried your command but it does not grab or create table with just 'program.exe -switch property'. It shows nothing for field cmd.

Any help is appreciated.

0 Karma

adonio
Ultra Champion

can you share data sample please?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...