Would it be possible to search for certain events within the raw data?
For example I need to find events with C:\Windows\explorer.exe
I used | extract kvdelim=":\t" pairdelim="\n" on the raw events, but its not parsing the field that I wanted,
so I used rex to get the field parsed and this worked, bu then I couldn't do any searches on the field, because I need to adjust fields.conf or something like that, so instead of creating fields, I was wondering if we could straight search for the events with Rex?
Or maybe eval would be better command to create field and search for events within a field?
↧