I need to capture services.exe from the path C:\Windows\System32\services.exe, but for every event the path changes dynamically. What would be a generic way to capture whatever is there after the last \.
Thanks in advance
Hi there,
supposing your path is in the path field, have you tried a filter like:
ruby {
code => """
if path=event.get('path')
event.set('new_field', path.split('\\')[-1])
end
"""
}if [PathName] {
ruby {
code => "event.set('PathName', event.get('Path').split('\').last)"
}
}
Working for me.
Sure! Your solution is my same solution (I simply escaped the backslash and [-1] is the same as last in ruby) but I'd add that check on the existence of field path since if it doesn't exist (very unlikely but who knows) the pipeline will break.
Agree. In fact i do have the check.
Edited my solution.
Mhmh think you gotta edit it again since you're checking for the existence of field PathName and then try to retrieve something from field Path.
It makes no sense to perform such a check. Also, it'll most likely skip the ruby filter unless you have a PathName field in your source event.
P.S. also, format your code before publishing the post, using this tool 
My bad. I have overlooked it. Thanks for correcting.
if [Path] {
ruby {
code => "event.set('PathName', event.get('Path').split('\').last)"
}
}
P.S. also, format your code before publishing the post, using this tool
This instruction is so darn harsh for you guys to follow, isn't it? 
1 Like
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.