hi,
thank for your answer...
if i try your query
index=windows_script_log
| search script_name="Microlise_Splunk_Telemetry"
i has no result.. 😞
if i try this query
index=windows_script_log | rex field=source "^.*\/[0-9]*_(?P<script_name>.*)\.[a-z]{3}$" | search script_name="Microlise_Splunk_Telemetry"
it work fine, strange...
with the same regex, into props.conf... the script_name are correctly extract... by when i m filter to this... no result, if i do the rex directly into the query, it work fine... this two method isn't the same think ?
i don't understand what is the different... for me the result must be the same...
... View more