Re: How would I configure my regex to also include...

bluemarvel · ‎10-17-2017

I have a query that will identify all the logs in my instance for a certain index, it list everything running except for Windows. What am i missing? thanks in advance.

index="source" | rex field=source "^.*\/(?=[^/])(?.*?)($|\s|\-|\_)"

bluemarvel · ‎10-19-2017

cpetterborg · ‎10-17-2017

Without seeing more of your data, it appears to me that you are not getting anything with a Windows drive letter. But if you can give more information about your index called "source", it would be easier to help answer the question.

bluemarvel · ‎10-19-2017

the screen shot is below

bluemarvel · ‎10-19-2017

enclosed is the query and the result.

bluemarvel · ‎10-17-2017

index="source" | rex field=source "^.\/(?=[^/])(?.?)($|\s|-|_)" ...this is the whole regex

cpetterborg · ‎10-17-2017

Can you at least provide examples (even obfuscated) of the output of:

index="source" | table source

It should include something from several types, like linux, oracle, windows. Without that information I'm afraid I can't help out at all.

bluemarvel · ‎10-17-2017

well for privacy concerns i can only provided limited data, the query captures all data except Windows.

the index is not called source, i just used that as an example.
the other data sources it collects is - linux,oracle....etc.

DalJeanis · ‎10-17-2017

Suggestion - we may be able to solve this here, but if not, then get yourself onto the splunk slack channel, where you can post the semi-confidential data privately in a direct message to someone, then delete it after solving your problem.

info here...
https://answers.splunk.com/answers/443734/is-there-a-splunk-slack-channel.html

How would I configure my regex to also include Windows data?

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...