Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How would I configure my regex to also include Windows data?

bluemarvel
Path Finder
‎10-17-2017 11:32 AM

I have a query that will identify all the logs in my instance for a certain index, it list everything running except for Windows. What am i missing? thanks in advance. 

index="source" | rex field=source "^.*\/(?=[^/])(?.*?)($|\s|\-|\_)"
0 Karma
Reply

bluemarvel
Path Finder
‎10-19-2017 08:31 AM

alt text

Preview file
83 KB
0 Karma
Reply

cpetterborg
SplunkTrust
SplunkTrust
‎10-17-2017 11:42 AM

Without seeing more of your data, it appears to me that you are not getting anything with a Windows drive letter. But if you can give more information about your index called "source", it would be easier to help answer the question.

0 Karma
Reply

bluemarvel
Path Finder
‎10-19-2017 11:32 AM

the screen shot is below

0 Karma
Reply

bluemarvel
Path Finder
‎10-19-2017 08:31 AM

enclosed is the query and the result.

0 Karma
Reply

bluemarvel
Path Finder
‎10-17-2017 12:00 PM

index="source" | rex field=source "^.\/(?=[^/])(?.?)($|\s|-|_)" ...this is the whole regex

0 Karma
Reply

cpetterborg
SplunkTrust
SplunkTrust
‎10-17-2017 12:06 PM

Can you at least provide examples (even obfuscated) of the output of:

index="source" | table source

It should include something from several types, like linux, oracle, windows. Without that information I'm afraid I can't help out at all.

0 Karma
Reply

bluemarvel
Path Finder
‎10-17-2017 11:57 AM

well for privacy concerns i can only provided limited data, the query captures all data except Windows.

the index is not called source, i just used that as an example.
the other data sources it collects is - linux,oracle....etc.

0 Karma
Reply

DalJeanis
Legend
‎10-17-2017 12:58 PM

Suggestion - we may be able to solve this here, but if not, then get yourself onto the splunk slack channel, where you can post the semi-confidential data privately in a direct message to someone, then delete it after solving your problem.

info here...
https://answers.splunk.com/answers/443734/is-there-a-splunk-slack-channel.html

0 Karma
Reply
Get Updates on the Splunk Community!

OpenTelemetry for Legacy Apps? Yes, You Can!

This article is a follow-up to my previous article posted on the OpenTelemetry Blog, "Your Critical Legacy App ...

UCC Framework: Discover Developer Toolkit for Building Technology Add-ons

The Next-Gen Toolkit for Splunk Technology Add-on Development The Universal Configuration Console (UCC) ...

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...