Solved: Need to write both rex and regex

vishwanadhan_mu · ‎06-30-2019

"C:\Users\TestUser\AppData\Local\Microsoft\Teams\Update.exe" --processStart "Teams.exe" --process-start-args "--system-initiated"

Could someone help me writing regex and rex to extract field(which is a process) name after --processStart .

Next I'll filter out filed name which I don't want match.

Thanks in Advance

vnravikumar · ‎06-30-2019

Hi

Try this

| makeresults 
| eval temp="\"C:\Users\TestUser\AppData\Local\Microsoft\Teams\Update.exe\" --processStart \"Teams.exe\" --process-start-args \"--system-initiated\"" 
| rex field=temp "--processStart\s\"(?P<processname>[^--]+)\""

View solution in original post

jawaharas · ‎06-30-2019

Try this.

Field extracted using space as delimiter.

| makeresults 
 | eval input="\"C:\Users\TestUser\AppData\Local\Microsoft\Teams\Update.exe\" --processStart \"Teams.exe\" --process-start-args \"--system-initiated\"" 
 | rex field=input "^(?:[^\s]* ){2}\"(?<process>[^ ]+)\""

vishwanadhan_mu · ‎07-01-2019

This too worked for me. Thanks a lot.

vnravikumar · ‎06-30-2019

Hi

Try this

| makeresults 
| eval temp="\"C:\Users\TestUser\AppData\Local\Microsoft\Teams\Update.exe\" --processStart \"Teams.exe\" --process-start-args \"--system-initiated\"" 
| rex field=temp "--processStart\s\"(?P<processname>[^--]+)\""

vishwanadhan_mu · ‎07-01-2019

This worked. Thanks a lot

vishwanadhan_mu · ‎07-01-2019

If you don't mind can you explain me [^--]+)\"" this part

vnravikumar · ‎07-01-2019

I mentioned to extract from processStart to before --

Need to write both rex and regex

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!