Solved: Re: Why does this field extraction and rex give di...

tfilip · ‎05-10-2022

I'm completely stuck here. I'm trying to extract the "Path" from a logfile with this format:

Time:	 05/10/2022 11:26:53
Event:  Traffic
IP Address:  xxxxxxxxxx
Description:  HOST PROCESS FOR WINDOWS SERVICES
Path:  C:\Windows\System32\svchost.exe
Message:      Blocked Incoming UDP  -  Source  xxxxxxxxxx :  (xxxx)   Destination  xxxxxxxxxx :  (xxxxx)
Matched Rule:  Block all traffic

using this regex

((Path:\s{1,2})(?<fwpath>.+))

It does exactly what I want when I use rex, it extracts the path as "fwpath". However, when I do it as a field extraction, it matches the rest of the log entry. Why is it behaving differently for these two?

ITWhisperer · ‎05-10-2022

Try this

((Path:\s{1,2})(?<fwpath>\S+))

View solution in original post

ITWhisperer · ‎05-10-2022

Try this

((Path:\s{1,2})(?<fwpath>\S+))

tfilip · ‎05-11-2022

That (almost) did it! I had to replace \S with \N so that it wouldn't stop at spaces in paths, like "C:\Program Files".

Thanks much!

Why does this field extraction and rex give different results?

field extraction

fields

regex

rex

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!