Monitoring Splunk

Windows Security logs and USB Monitoring

New Member

Dear All,

I'm trying to find a way to catch the number 0018F3D97D02BBA0517E001A&0 which before the last backslash.

I put an extract of the line I want to a reg on it.

Object Name:    \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\USBSTOR\Disk&Ven_Kingston&Prod_DT_R500&Rev_PMAP\0018F3D97D02BBA0517E001A&0

The reg command I used is the following:

| rex field=_raw "USBSTOR.*_(?<USBID>......?)"|

I just want to extract all data after the last backslash.

Please help,

Best regards,


Tags (2)
0 Karma


If that code is the last text in the event, how about:

| rex "(?<USBID>[^\\]+)$"
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!