May be because of double quotes using in rex. Remove and input them from your keyboard.
Are you looking to extract the field in a query through spl or are you trying to do a field extraction on ingest of the log data?
For the first you would add a field extraction in your props.conf file.
https://docs.splunk.com/Documentation/Splunk/8.0.5/Knowledge/Exampleconfigurationswithprops.conf
For the second you would use the rex command as suggested.
https://docs.splunk.com/Documentation/SCS/current/SearchReference/RexCommandExamples
The regex you would use depends on how consistant your logs are and if you could define a regex to match all of the logs you are concerned with. Here is an example of what might work if all of your logs had the command at the end of the line:
| rex field=_raw “(?<command>[\w]+\s[-\w]*)$”
The above regex is not perfect. You'll have to account for a command with and without arguments. The above regex isn't perfect if your command doesn't have -xyz arguments.
Thanks for your reply. I will check it out.
I am assuming all your commands at end of line.
| rex “(?<command>[\w]+\s[-\w]+)$”
@thambisetty tried your solution. It throws error.
May be because of double quotes using in rex. Remove and input them from your keyboard.
Yes, i got to make it work. However it is not accounting for all the commands. I will improvise. Thanks.