Splunk Search

Is it possible to search for certain events within raw data?

ecanmaster
Explorer

Would it be possible to search for certain events within the raw data?
For example, I need to find events with C:\Windows\explorer.exe

I used | extract kvdelim=":\t" pairdelim="\n" on the raw events, but its not parsing the field that I wanted,
so I used rex to get the field parsed and this worked, bu then I couldn't do any searches on the field, because I need to adjust fields.conf or something like that, so instead of creating fields, I was wondering if we could straight search for the events with Rex?

Or maybe eval would be better command to create field and search for events within a field?

0 Karma
1 Solution

inventsekar
SplunkTrust
SplunkTrust

just you can include the C:\Windows\explorer.exe as a search string with "\" escaped -
index=main base-search "C:\\Windows\\explorer"

if regex is needed,
base-search | regex _raw="C:\\\Windows\\\explorer\.exe
alt text

View solution in original post

0 Karma

inventsekar
SplunkTrust
SplunkTrust

just you can include the C:\Windows\explorer.exe as a search string with "\" escaped -
index=main base-search "C:\\Windows\\explorer"

if regex is needed,
base-search | regex _raw="C:\\\Windows\\\explorer\.exe
alt text

0 Karma

ecanmaster
Explorer

thx iventsekar,

index=main base-search "C:\\Windows\\explorer"

this was good enough, I didn't know about the \ , that was probably the reason I couldn't get any results, but it works now, thank you

0 Karma

inventsekar
SplunkTrust
SplunkTrust

you want to list down the events which contains the string "C:\Windows\explorer.exe" or you want to extract this or similar paths from the events.. please clarify.. maybe post some sample events.

0 Karma

ecanmaster
Explorer

just events containing this string in the raw data: "C:\Windows\explorer.exe"

0 Karma

inventsekar
SplunkTrust
SplunkTrust

just you can include the C:\Windows\explorer.exe as a search string with "\" escaped -
index=main base-search "C:\\Windows\\explorer"

0 Karma

inventsekar
SplunkTrust
SplunkTrust

@ecanmaster, if the answer looks good, can you please accept the answer, thanks.

0 Karma
Get Updates on the Splunk Community!

Exporting Splunk Apps

Join us on Monday, October 21 at 11 am PT | 2 pm ET!With the app export functionality, app developers and ...

Cisco Use Cases, ITSI Best Practices, and More New Articles from Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Build Your First SPL2 App!

Watch the recording now!.Do you want to SPL™, too? SPL2, Splunk's next-generation data search and preparation ...