Splunk Search

Is it possible to search for certain events within raw data?

ecanmaster
Explorer

Would it be possible to search for certain events within the raw data?
For example, I need to find events with C:\Windows\explorer.exe

I used | extract kvdelim=":\t" pairdelim="\n" on the raw events, but its not parsing the field that I wanted,
so I used rex to get the field parsed and this worked, bu then I couldn't do any searches on the field, because I need to adjust fields.conf or something like that, so instead of creating fields, I was wondering if we could straight search for the events with Rex?

Or maybe eval would be better command to create field and search for events within a field?

0 Karma
1 Solution

inventsekar
SplunkTrust
SplunkTrust

just you can include the C:\Windows\explorer.exe as a search string with "\" escaped -
index=main base-search "C:\\Windows\\explorer"

if regex is needed,
base-search | regex _raw="C:\\\Windows\\\explorer\.exe
alt text

View solution in original post

0 Karma

inventsekar
SplunkTrust
SplunkTrust

just you can include the C:\Windows\explorer.exe as a search string with "\" escaped -
index=main base-search "C:\\Windows\\explorer"

if regex is needed,
base-search | regex _raw="C:\\\Windows\\\explorer\.exe
alt text

0 Karma

ecanmaster
Explorer

thx iventsekar,

index=main base-search "C:\\Windows\\explorer"

this was good enough, I didn't know about the \ , that was probably the reason I couldn't get any results, but it works now, thank you

0 Karma

inventsekar
SplunkTrust
SplunkTrust

you want to list down the events which contains the string "C:\Windows\explorer.exe" or you want to extract this or similar paths from the events.. please clarify.. maybe post some sample events.

0 Karma

ecanmaster
Explorer

just events containing this string in the raw data: "C:\Windows\explorer.exe"

0 Karma

inventsekar
SplunkTrust
SplunkTrust

just you can include the C:\Windows\explorer.exe as a search string with "\" escaped -
index=main base-search "C:\\Windows\\explorer"

0 Karma

inventsekar
SplunkTrust
SplunkTrust

@ecanmaster, if the answer looks good, can you please accept the answer, thanks.

0 Karma
Get Updates on the Splunk Community!

Splunk is Nurturing Tomorrow’s Cybersecurity Leaders Today

Meet Carol Wright. She leads the Splunk Academic Alliance program at Splunk. The Splunk Academic Alliance ...

Part 2: A Guide to Maximizing Splunk IT Service Intelligence

Welcome to the second segment of our guide. In Part 1, we covered the essentials of getting started with ITSI ...

Part 1: A Guide to Maximizing Splunk IT Service Intelligence

As modern IT environments continue to grow in complexity and speed, the ability to efficiently manage and ...