Hi Team,we are trying to add new field as a display name into interesting field from below raw eventDisplayName: sample-HostnameWe tried the below query but it is not working | rex field=_raw \"DisplayName", "Value":\s(?<DisplayName>\w+).And also please suggest us how to create a query if the user logged in one or more devices.Thanks in advance!
Hi @Nagalakshmi ,
good for you, see next time!
let me know if I can help you more, or, please, accept one answer for the other people of Community.
Ciao and happy splunking
Giuseppe
P.S.: Karma Points are appreciated 😉
View solution in original post
Hi @gcusello ,Thanks for the quick response!The above query is perfectly working
this seems to be a json log, so you can extract all fields using the "INDEXED_EXTRACTION = json" in the props.conf or using the "spath" command.
If you want to use a regex, you can use:
| rex "DisplayName\",\s+\"Value\":\s+\"(?<DisplayName>[^\"]+)"
that you can test at https://regex101.com/r/hjQXGU/1
Ciao.
