Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How would I configure my regex to also include Windows data?

bluemarvel
Path Finder
‎10-17-2017 11:32 AM

I have a query that will identify all the logs in my instance for a certain index, it list everything running except for Windows. What am i missing? thanks in advance. 

index="source" | rex field=source "^.*\/(?=[^/])(?.*?)($|\s|\-|\_)"
0 Karma
Reply

bluemarvel
Path Finder
‎10-19-2017 08:31 AM

alt text

Preview file
83 KB
0 Karma
Reply

cpetterborg
SplunkTrust
SplunkTrust
‎10-17-2017 11:42 AM

Without seeing more of your data, it appears to me that you are not getting anything with a Windows drive letter. But if you can give more information about your index called "source", it would be easier to help answer the question.

0 Karma
Reply

bluemarvel
Path Finder
‎10-19-2017 11:32 AM

the screen shot is below

0 Karma
Reply

bluemarvel
Path Finder
‎10-19-2017 08:31 AM

enclosed is the query and the result.

0 Karma
Reply

bluemarvel
Path Finder
‎10-17-2017 12:00 PM

index="source" | rex field=source "^.\/(?=[^/])(?.?)($|\s|-|_)" ...this is the whole regex

0 Karma
Reply

cpetterborg
SplunkTrust
SplunkTrust
‎10-17-2017 12:06 PM

Can you at least provide examples (even obfuscated) of the output of:

index="source" | table source

It should include something from several types, like linux, oracle, windows. Without that information I'm afraid I can't help out at all.

0 Karma
Reply

bluemarvel
Path Finder
‎10-17-2017 11:57 AM

well for privacy concerns i can only provided limited data, the query captures all data except Windows.

the index is not called source, i just used that as an example.
the other data sources it collects is - linux,oracle....etc.

0 Karma
Reply

DalJeanis
Legend
‎10-17-2017 12:58 PM

Suggestion - we may be able to solve this here, but if not, then get yourself onto the splunk slack channel, where you can post the semi-confidential data privately in a direct message to someone, then delete it after solving your problem.

info here...
https://answers.splunk.com/answers/443734/is-there-a-splunk-slack-channel.html

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...