Hi all,
I am fairly new to Splunk and have been working on the following search time field extraction to grab windows formatted filenames from various different custom logs and was wondering if and how somehting like this can be made to automatically extract fields for a giver app. I believe this will require work in props.conf and use of SED scripts but was wondering if anyone could point me into the right direction as I wouldn't know where to start. Any help would be greatly appreciate:
| rex "(?(( |TrustedInsta|//)+[-a-zA-Z0-9)/(. ]+.(exe|dll|bat)$))" | rex mode=sed field=extractfilename "s/^[a-zA-Z0-9][ ]+ //" | rex mode=sed field=extract_filename "s/^ *//" | rex mode=sed field=extract_filename "s/^TrustedInsta//" | rex "(?(\+[a-zA-Z0-9]+.(exe|dll|bat)"))" | eval FILE=mvappend(extractfilename, " ", extractfilename2)