Splunk Search

How would I configure my regex to also include Windows data?

bluemarvel
Path Finder

I have a query that will identify all the logs in my instance for a certain index, it list everything running except for Windows. What am i missing? thanks in advance.

index="source" | rex field=source "^.*\/(?=[^/])(?.*?)($|\s|\-|\_)"
0 Karma

bluemarvel
Path Finder

alt text

0 Karma

cpetterborg
SplunkTrust
SplunkTrust

Without seeing more of your data, it appears to me that you are not getting anything with a Windows drive letter. But if you can give more information about your index called "source", it would be easier to help answer the question.

0 Karma

bluemarvel
Path Finder

the screen shot is below

0 Karma

bluemarvel
Path Finder

enclosed is the query and the result.

0 Karma

bluemarvel
Path Finder

index="source" | rex field=source "^.\/(?=[^/])(?.?)($|\s|-|_)" ...this is the whole regex

0 Karma

cpetterborg
SplunkTrust
SplunkTrust

Can you at least provide examples (even obfuscated) of the output of:

index="source" | table source

It should include something from several types, like linux, oracle, windows. Without that information I'm afraid I can't help out at all.

0 Karma

bluemarvel
Path Finder

well for privacy concerns i can only provided limited data, the query captures all data except Windows.

the index is not called source, i just used that as an example.
the other data sources it collects is - linux,oracle....etc.

0 Karma

DalJeanis
Legend

Suggestion - we may be able to solve this here, but if not, then get yourself onto the splunk slack channel, where you can post the semi-confidential data privately in a direct message to someone, then delete it after solving your problem.

info here...
https://answers.splunk.com/answers/443734/is-there-a-splunk-slack-channel.html

0 Karma
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...