Hello Ninjas,
Am having some trouble trying to figure out how to use regex to perform a simple action.
So I have a field called Caller_Process_Name which has the value of `C:\Windows\System32\explorer.exe`
I want to take the "explorer.exe" part out of this field and place it in a new field (called process_name_short). So I see regex as the solution here.
I have been trying the following but I do not believe I am using regex correctly in Splunk and the documentation isn't very helpful.
| rex field=Caller_Process_Name (?/(\w+)\.(\w+)$/)
I'm sure my regex is solid as it pulls out only the explorer.exe part of the string in the online regex testers.
Would anyone be willing to show me what I'm not doing right here please.
Thanks :)
↧