Not yet no ... View more

Good to know, thanks, works perfectly.   ... View more

Oh wait these have to be in order, what if I wanted to grab a field that is 10 fields before this.   Expanded Sample Data; dvchost=asdf.ghi.com NodeType=Windows Server NodeTypeLabel=Node Type Rule=Critical System Settings RuleLabel=Rule RuleType=Windows Registry Rule RuleTypeLabel=Rule Type fname=HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer|NoWebServices ChangeType=Added ChangeTypeLabel=Change Type SeverityName=High SeverityNameLabel=Tripwire Severity Name VersionOID=-1y2p0ij32e8cf:-1y2p0iizs0ilf VersionOIDLabel=Version OID SeverityNumber=10000 SeverityNumberLabel=Tripwire Severity Number sproc=C:\Windows\System32\svchost.exe licurl=https://abcd.ghi.com/console/lic.search.cmd?lic=true&managerId=nodeManager&pageId=nodeManager.elementFinderPage&searchCriteria=%7B%22search.element.nodeGroup.selectedObject%22%3A%22-1y2p0ij32e8bm%3A-1y2p0ij02lp4k%22%2C%22search.element.name.op%22%3A1%2C%22search.element.name%22%3A%22HKEY_LOCAL_MACHINE%5C%5CSoftware%5C%5CMicrosoft%5C%5CWindows%5C%5CCurrentVersion%5C%5CPolicies%5C%5CExplorer|NoWebServices%22%2C%22selectedSearchType%22%3A%22element%22%2C%22search.element.ruleGroup.selectedObject%22%3A%22-1y2p0ij32e7p1%3A-1y2p0ij32bgh0%22%2C%22criteria.searchExecuted%22%3Atrue%7D start=Jan 07 2024 06:07:45 duser=NT AUTHORITY\SYSTEM dvc=10.10.10.10 rt=Jan 29 2024 04:41:24 dhost=abcd.ghi.com SHA-1=Not available MD5=Not available Size=Not available content=0x00000001 (1) contentLabel=Current Version Content timezone=Pacific Standard Time timezoneLabel=Time Zone elementOID=-1y2p0ij32e8ca:-1y2p0ij02lo5f elementOIDLabel=Element OID blVersion=false blVersionLabel=Is baseline version hardCodedIP=10.10.10.10 Say I wanted the fields NodeType, RuleType, fname, duser, sproc?   Thanks ... View more

Wow, thanks so much!  That solves all my problems! ... View more

duser=NT AUTHORITY\SYSTEM dvc=10.10.10.10 rt=Jan 29 2024 04:41:24 dhost=abcd.efgh.com SHA-1=Not available MD5=Not available Size=Not available content=0x00000001 (1) contentLabel=Current Version Content timezone=Pacific Standard Time I want to be able to pull out the duser, dvc, dhost etc.  Focusing on the duser ATM because it is giving me the most grief because of the space in the value.  If I can get one to work, I can get the rest working.   The search so far is simple; index="abc"  | rex field=_raw "duser=(?P<User>.*?) dvc" | table User       ... View more

When I put in my search like this | rex field=_raw "duser=(?<User>.*?) dvc" I get a new field called UserNameLabel with the value of 'User' not the user field data   ... View more

When I put in my search like this | rex field=_raw "duser=(?<User>.*?) dvc" I get a new field called UserNameLabel with the value of User   ... View more

Thank you, I think this solved it! ... View more

@richgalloway  The data is coming from a FIM product called Tripwire.  Here is the raw data;   Dec 22 02:30:34 10.62.32.10 1 2023-12-22T10:30:34.771Z servernameTW_ES - - - CEF:0|Tripwire|Enterprise|5.5|6|Audit Event|1|UserName=NT AUTHORITY\NETWORK SERVICE UserNameLabel=User Name ElementName=null ElementNameLabel=Element Name VersionTimeStamp=null VersionTimeStampLabel=Version Timestamp Message='C:\Windows\System32\Tasks\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask' accessed by 'NT AUTHORITY\NETWORK SERVICE'. Type 'Set Security'. Application: 'C:\Windows\System32\svchost.exe' Details: DACL Category=Audit Event CategoryLabel=Category rt=12/22/23 2:25 AM Level=Information LevelLabel=level dhost=trip.cs.ad.domain.com I don't have any props or transforms yet because I am not sure where to start with this. Thanks ... View more

That has me much closer, thanks! ... View more

Oh yeah, that is exactly what I am seeing now, when I try your search, I still only see the unique values.  I will take a look at list   ... View more

Ok, I am an idiot and apologize, I am building my experience in Splunk still.  I was outputting the results to a table but when I went to look at the raw data I see that the following is actually working!   index=wineventlog eventtype="msad-dns-debuglog" | rex mode=sed "s/\(.*?\)/./g s/^\.+(\s+)?// s/\.$//" I am getting .www.google.com in the raw data which is a lot closer than I thought I was.  I am unsure why I am still getting that leading dot, but this is something.   you are right, I want to catch this in indexing but wanted to verify my sed logic was accurate before I did that.   ... View more

Ok, using the original data, here is a result that works..... | makeresults | eval _raw="(3)www(6)google(2)ca(0)" | rex mode=sed "s/\(.*?\)/./g s/^\.+(\s+)?// s/\.$//"   I get  www.google.ca   ... View more

Here are a few more examples;   (3)www(6)google(2)ca(0) (7)outlook(9)office365(3)com(0) (7)updates(4)asdf(3)com(0) (4)test(4)test(3)com(0)       ... View more

When I try the two samples provided; | rex mode=sed "s/\(.*?\)/./g s/\"\.+(\s+)?/\"/ s/\.\"/\"/" and  | rex mode=sed "s/\"\(\d+\){1,}(\s+)?/\"/ s/\(\d+\)\"/\"/ s/\(\d+\)/./g"  They run without error but don't actually modify the output.  Similar to what I was seeing earlier.   I really appreciate your help with this   ... View more

What I am trying to do is convert MS DNS Logs to readable text.  I understand that there is probably an app for this but want to do it manually   The input data is (3)www(6)google(3)com(0) and I want to change it to www.google.com I had this working fine -  | rex field=query mode=sed "s/\(.*?\)/./g s/^\.+(\s+)?// s/\.$//" It takes all the (#) and converts it to a . and then goes through and removes the first and last .'s  So I am trying to convert this to a sed command to do this on indexing but can't get it to work, I simplified what I was doing with examples that showed the same behavior. ... View more

Would this count as a calculated field, this is all I see in the props.conf currently for this particular field.   FIELDALIAS-query = questionname AS query ... View more

Cool thanks for the reference info, but mine all of a sudden isn't passing the --execute and then is failing.  Can you think of a reason why it wouldn't pass that, the script is being called by the custom alert app. ... View more