1 comment

  • Avatar
    Marvin Mcguire

    How do you search custom parsed fields with wild cards ? say I set my own field name for windows event logs to parse out the field I define as "malicious_command_line" and then I want to search something like this | where malicious_command_line=*malware*


    I get an error when I use the parse function and then pipe with an attempted wildcard search, so the error I'm getting is similar to to when a sample query such as this is attempted to run (see below)

    | parse "\"CommandLine\":\"* as malicious_command_line
    | where malicious_command_line=*malware*


    Error is stated as "'[' expected but '*' found."

    Comment actions Permalink

Please sign in to leave a comment.