Hi Team,
we are trying to add new field as a display name into interesting field from below raw event
DisplayName: sample-Hostname
We tried the below query but it is not working
| rex field=_raw \"DisplayName", "Value":\s(?<DisplayName>\w+).
And also please suggest us how to create a query if the user logged in one or more devices.
Thanks in advance!
Hi @Nagalakshmi ,
good for you, see next time!
let me know if I can help you more, or, please, accept one answer for the other people of Community.
Ciao and happy splunking
Giuseppe
P.S.: Karma Points are appreciated 😉
Hi @gcusello ,
Thanks for the quick response!
The above query is perfectly working
Hi @Nagalakshmi ,
good for you, see next time!
let me know if I can help you more, or, please, accept one answer for the other people of Community.
Ciao and happy splunking
Giuseppe
P.S.: Karma Points are appreciated 😉
Hi @Nagalakshmi ,
this seems to be a json log, so you can extract all fields using the "INDEXED_EXTRACTION = json" in the props.conf or using the "spath" command.
If you want to use a regex, you can use:
| rex "DisplayName\",\s+\"Value\":\s+\"(?<DisplayName>[^\"]+)"
that you can test at https://regex101.com/r/hjQXGU/1
Ciao.
Giuseppe