Hello
I am trying to get filename (name.exe) from a full path (dir + filename) from windows folders, ex:
C:\dir1\dir2\filename.ext
using code as below:
index = os_sysmon NOT Image="*Sysmon*" EventCode=1
| rex field=Image "Executable=(?P<Executable>[^\\\]+)$"
| table Image Executable
Problem:
Executable always empty
Can you please advise?
best regards
Altin
Since the Image field does not contain the string "Executable=" the regular expression does not match and rex extracts nothing. Try removing "Executable=" from the command.
The regular expression shown could be good, but we can't tell without seeing a sample event (not just a file path).
thank you @richgalloway for the reply
attached is an example of my search
Since the Image field does not contain the string "Executable=" the regular expression does not match and rex extracts nothing. Try removing "Executable=" from the command.
Thank You very much @richgalloway
As You suggested, the following worked:
index = os_sysmon NOT Image="*Sysmon*" EventCode=1
| rex field=Image "(?P<Executable>[^\\\]+)$"
| table Image Executable