Solved: How to extract the new field into interesting fiel...

Nagalakshmi · ‎07-20-2023

Hi Team,

we are trying to add new field as a display name into interesting field from below raw event

DisplayName: sample-Hostname

We tried the below query but it is not working

| rex field=_raw \"DisplayName", "Value":\s(?<DisplayName>\w+).

And also please suggest us how to create a query if the user logged in one or more devices.

Thanks in advance!

gcusello · ‎07-20-2023

Hi @Nagalakshmi ,

good for you, see next time!

let me know if I can help you more, or, please, accept one answer for the other people of Community.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

View solution in original post

Nagalakshmi · ‎07-20-2023

Hi @gcusello ,

Thanks for the quick response!

The above query is perfectly working

gcusello · ‎07-20-2023

Hi @Nagalakshmi ,

good for you, see next time!

let me know if I can help you more, or, please, accept one answer for the other people of Community.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

gcusello · ‎07-20-2023

Hi @Nagalakshmi ,

this seems to be a json log, so you can extract all fields using the "INDEXED_EXTRACTION = json" in the props.conf or using the "spath" command.

If you want to use a regex, you can use:

| rex "DisplayName\",\s+\"Value\":\s+\"(?<DisplayName>[^\"]+)"

that you can test at https://regex101.com/r/hjQXGU/1

Ciao.

Giuseppe

How to extract the new field into interesting field from raw event?

field extraction

rex

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio