Hello all,
I have the following query which gives me the required results, but I can't get the regex command to INCLUDE the single slash in front of the file.exe. I want to do this to prevent the query from counting testfile.exe and such.. any help is greatly appreciated.
ComputerName=* [search earliest=-2h latest=now() ProductType="1" | table ComputerName]
| regex CommandLine=(?i)"(testvalue1|testvalue2|\\file.exe)"
| eval testvalue1_count=if(match(lower(CommandLine),"testvalue1"),1,0)
| eval testvalue2_count=if(match(lower(CommandLine),"testvalue2"),1,0)
| eval file_count=if(match(lower(CommandLine),"\\file.exe"),1,0)
| stats sum(testvalue1_count) AS TV1 sum(testvalue2_count) AS TV2 sum(file_count) AS FC BY ComputerName
↧