Monitoring Splunk

Windows Security logs and USB Monitoring

rduro
New Member

Dear All,

I'm trying to find a way to catch the number 0018F3D97D02BBA0517E001A&0 which before the last backslash.

I put an extract of the line I want to a reg on it.

Object Name:    \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\USBSTOR\Disk&Ven_Kingston&Prod_DT_R500&Rev_PMAP\0018F3D97D02BBA0517E001A&0

The reg command I used is the following:

| rex field=_raw "USBSTOR.*_(?<USBID>......?)"|

I just want to extract all data after the last backslash.

Please help,

Best regards,

Raph

Tags (2)
0 Karma

Ayn
Legend

If that code is the last text in the event, how about:

| rex "(?<USBID>[^\\]+)$"
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...