Grok Filter want to see only the processname

I want to see only the Process cmd.exe.

Example:

New Process Name: C:\Windows\System32\cmd.exe  Token Elevation Type: %%1938  Creator Process ID: 0x1a0`enter code here`

Grok Filter:

New Process Name: %{GREEDYDATA}\\%{GREEDYDATA:Process}

Output:

{
  "Process": [
    [
      "cmd.exe  Token Elevation Type: %%1938  Creator Process ID: 0x1a0`enter code here`"
    ]
  ]
}

How i get to see only cmd.exe and not Token Elevation Type: %%1938 Creator Process ID: 0x1a0`enter?

Solution

GREEDYDATA usually means "everything". I find it usually not be useful except at the end of a pattern (as a catch-all).

So, you're asking for everything after the backslash, which is what you're getting.

How about:

New Process Name: %{GREEDYDATA}\\%{NOTSPACE:Process}

Logstash install error: can't get unique system GID (no more available GIDs)
how to remove /r from field value in logstash grok
Logstash plugin installed but not found
Logstash field is never shown after aggregation
Observability in Laravel Applications
Could not connect Logstash to Kafka via compose file
How to convert a string field to array using Logstash
How can I check nulls in Logstash pipeline in filter plugin?
How to input a JSON file (array form) in Logstash?
Log4J JsonTemplateLayout replacing message content
logstash error: java.net.SocketException: Connection reset
logstash keep both raw data and aggregated data
Logstash Elasticsearch output plugin creates a single document index in Elasticsearch
Index pattern is not showing up in Kibana management
Problems with updating :sql_last_value
Logstash stopped processing because of an error: (SystemExit) exit org.jruby.exceptions.SystemExit
Logstash main class JvmOptionsParser not found / cannot load
How to Send Structured Logs to ELK Stack with Custom Fields Using Python Logging?
Querying keyword field in Logstash
ELK index name doesn't change on rollover on the next day
Grok pattern for [Mon Jan 04 08:36:12 2021]
Ingesting SQL Server ErrorLog using Filebeat with the mssql module
logstash unable to connect to elasticsearch
How to discard the Duplicate values in ElasticSearch using DSL Query?
Logstash Expected one of
How can I manually trigger timing jdbc input in logstash?
Error: exec /usr/local/bin/docker-entrypoint: permission denied for Logstash container on Podman
Elasticsearch - Logstash Grok new field date formate is string and not date
http.host: 0.0.0.0 - ERROR lookup logstash : no such host
How to have an input of type MongoDB for Logstash