Splunk Search

Why does this field extraction and rex give different results?

tfilip
Engager

I'm completely stuck here. I'm trying to extract the "Path" from a logfile with this format:

 

 

Time:	 05/10/2022 11:26:53
Event:  Traffic
IP Address:  xxxxxxxxxx
Description:  HOST PROCESS FOR WINDOWS SERVICES
Path:  C:\Windows\System32\svchost.exe
Message:      Blocked Incoming UDP  -  Source  xxxxxxxxxx :  (xxxx)   Destination  xxxxxxxxxx :  (xxxxx)
Matched Rule:  Block all traffic

 

 

using this regex

 

 

((Path:\s{1,2})(?<fwpath>.+))

 

 

It does exactly what I want when I use rex, it extracts the path as "fwpath". However, when I do it as a field extraction, it matches the rest of the log entry. Why is it behaving differently for these two?

Labels (4)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

Try this

((Path:\s{1,2})(?<fwpath>\S+))

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust

Try this

((Path:\s{1,2})(?<fwpath>\S+))

tfilip
Engager

That (almost) did it! I had to replace \S with \N so that it wouldn't stop at spaces in paths, like "C:\Program Files".

 

Thanks much!

0 Karma
Get Updates on the Splunk Community!

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Deprecation of Splunk Observability Kubernetes “Classic Navigator” UI starting ...

Access to Splunk Observability Kubernetes “Classic Navigator” UI will no longer be available starting January ...

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...