Thank you Giuseppe for getting back but this does not work.
Essentially, eventlogs come with lots of data and I could create table from that data but it is not really clean. I want to be able to grep exactly what I want per alert. So in this case, for example, I want to grep only 'program.exe -switch property', that way I know who is running what. The Regex I have will grab this but just dont know how to get this in splunk.
So I tried your command but it does not grab or create table with just 'program.exe -switch property'. It shows nothing for field cmd.
Any help is appreciated.
... View more