Splunk Search

Is it possible to search for certain events within raw data?

ecanmaster
Explorer

Would it be possible to search for certain events within the raw data?
For example, I need to find events with C:\Windows\explorer.exe

I used | extract kvdelim=":\t" pairdelim="\n" on the raw events, but its not parsing the field that I wanted,
so I used rex to get the field parsed and this worked, bu then I couldn't do any searches on the field, because I need to adjust fields.conf or something like that, so instead of creating fields, I was wondering if we could straight search for the events with Rex?

Or maybe eval would be better command to create field and search for events within a field?

0 Karma
1 Solution

inventsekar
Ultra Champion

just you can include the C:\Windows\explorer.exe as a search string with "\" escaped -
index=main base-search "C:\\Windows\\explorer"

if regex is needed,
base-search | regex _raw="C:\\\Windows\\\explorer\.exe
alt text

View solution in original post

0 Karma

inventsekar
Ultra Champion

just you can include the C:\Windows\explorer.exe as a search string with "\" escaped -
index=main base-search "C:\\Windows\\explorer"

if regex is needed,
base-search | regex _raw="C:\\\Windows\\\explorer\.exe
alt text

0 Karma

ecanmaster
Explorer

thx iventsekar,

index=main base-search "C:\\Windows\\explorer"

this was good enough, I didn't know about the \ , that was probably the reason I couldn't get any results, but it works now, thank you

0 Karma

inventsekar
Ultra Champion

you want to list down the events which contains the string "C:\Windows\explorer.exe" or you want to extract this or similar paths from the events.. please clarify.. maybe post some sample events.

0 Karma

ecanmaster
Explorer

just events containing this string in the raw data: "C:\Windows\explorer.exe"

0 Karma

inventsekar
Ultra Champion

just you can include the C:\Windows\explorer.exe as a search string with "\" escaped -
index=main base-search "C:\\Windows\\explorer"

0 Karma

inventsekar
Ultra Champion

@ecanmaster, if the answer looks good, can you please accept the answer, thanks.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...