Solved: Need to write both rex and regex

vishwanadhan_mu · ‎06-30-2019

"C:\Users\TestUser\AppData\Local\Microsoft\Teams\Update.exe" --processStart "Teams.exe" --process-start-args "--system-initiated"

Could someone help me writing regex and rex to extract field(which is a process) name after --processStart .

Next I'll filter out filed name which I don't want match.

Thanks in Advance

vnravikumar · ‎06-30-2019

Hi

Try this

| makeresults 
| eval temp="\"C:\Users\TestUser\AppData\Local\Microsoft\Teams\Update.exe\" --processStart \"Teams.exe\" --process-start-args \"--system-initiated\"" 
| rex field=temp "--processStart\s\"(?P<processname>[^--]+)\""

View solution in original post

jawaharas · ‎06-30-2019

Try this.

Field extracted using space as delimiter.

| makeresults 
 | eval input="\"C:\Users\TestUser\AppData\Local\Microsoft\Teams\Update.exe\" --processStart \"Teams.exe\" --process-start-args \"--system-initiated\"" 
 | rex field=input "^(?:[^\s]* ){2}\"(?<process>[^ ]+)\""

vishwanadhan_mu · ‎07-01-2019

This too worked for me. Thanks a lot.

vnravikumar · ‎06-30-2019

Hi

Try this

| makeresults 
| eval temp="\"C:\Users\TestUser\AppData\Local\Microsoft\Teams\Update.exe\" --processStart \"Teams.exe\" --process-start-args \"--system-initiated\"" 
| rex field=temp "--processStart\s\"(?P<processname>[^--]+)\""

vishwanadhan_mu · ‎07-01-2019

This worked. Thanks a lot

vishwanadhan_mu · ‎07-01-2019

If you don't mind can you explain me [^--]+)\"" this part

vnravikumar · ‎07-01-2019

I mentioned to extract from processStart to before --

Need to write both rex and regex

Splunk Observability for AI

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Splunk Observability as Code: From Zero to Dashboard

Are you a member of the Splunk Community?

Need to write both rex and regex

Splunk Observability for AI

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Splunk Observability as Code: From Zero to Dashboard