Seeing issue with tabling results inside quotes and wondering if this is know issue with work around?
query:
index=perfmon source=process sourcetype=WinHostMon ProcessId=22864
results:
Type=Process
Name="splunkd.exe"
ProcessId=22864
CommandLine=""C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service"
StartTime="20160817005341.861352+120"
Host="myhost"
Path="C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"
Type=Process
Name="TrustedInstaller.exe"
ProcessId=19228
CommandLine="C:\Windows\servicing\TrustedInstaller.exe"
StartTime="20160816000024.970946+120"
Host="Anotherhost"
Path="C:\Windows\servicing\TrustedInstaller.exe"
query:
index=perfmon source=process sourcetype=WinHostMon ProcessId=22864 | table CommandLine
No results..
Yes, the double quotes give little trouble there..
maybe, a quick rex.. tested this and works fine..
sourcetype=WinHostMonTest | rex field=_raw "CommandLine=(?<CmdLine>.+[^\n])" | table CmdLine
Legend!
Thanks
Is there any way to have this data straightened out with a props/transform search time or index time extraction?
I cant seem to put this in my dashboard:
...| rex field=_raw "CommandLine=(?.+[^\n])"| table CommandLine
Its complaining about the
<title>$ProcessID$ Process Drilldown</title>
<search>
<query>index=perfmon source=process sourcetype=WinHostMon ProcessId=22864
earliest=$time.earliest$ latest=$time.latest$ host=$Host$ ProcessId=$ProcessID$ | dedup ProcessId | rex field=_raw "CommandLine=(?.+[^\n])"| table Name ProcessId CommandLine Path
true
true
none
none
10
i am not sure of this one.. let me create a dashboard to check it and update you back..
CDATA! sorted it. Thanks