topic Re: Lookup doesn't work with wildcard within strings in Splunk Enterprise

Lookup doesn't work with wildcard within strings

VK18 — Mon, 02 Oct 2023 07:50:18 GMT

We are currently using a regex pattern to match events against our raw data, and it works perfectly when we use the search app. The pattern we are using is:

C:\\Windows\\system32\\cmd\.exe*C:\\ProgramData\\Symantec\\Symantec Endpoint Protection\\14\.3\.8289\.5000\.105\\Data\\Definitions\\WebExtDefs\\20230830\.063\\webextbridge\.exe*

However, when we try to use this regex pattern in a lookup table, the events are not being matched. This seems to be because of the wildcard in the pattern. Despite defining the field name in the lookup definition (e.g., WILDCARD(process)), it still doesn't match the events.

I'm wondering if Splunk lookup supports wildcards within strings, or does it only support them at the beginning and end of strings?

Any insights or guidance on this matter would be greatly appreciated.

Regards
VK

Re: Lookup doesn't work with wildcard within strings

inventsekar — Mon, 02 Oct 2023 01:21:01 GMT

Hi @VK18 .. please check this post:

https://community.splunk.com/t5/Splunk-Search/Can-we-use-wildcard-characters-in-a-lookup-table/m-p/94513

Re: Lookup doesn't work with wildcard within strings

VK18 — Wed, 04 Oct 2023 00:00:42 GMT

HI @inventsekar,
I attempted to include a wildcard entry in transforms.conf, but unfortunately, it did not yield any successful results. It appears that Splunk lookup only accommodates wildcards at the start and end of a string and does not function when the wildcard is placed within the string.

Exmaple below where it is working

* webex.com
office*

Example below where it is not working
abc*def*ghi*

Re: Lookup doesn't work with wildcard within strings

bowesmana — Wed, 04 Oct 2023 02:27:38 GMT

Splunk does not support regex patterns in lookups, ONLY wildcards, i.e. *, so your escaped . characters and \ characters should not be in the lookup.

Your pattern is a bit odd in that it has

C:\\Windows\\system32\\cmd\.exe*C:\\P...

where the * in that, if it is a regex, is saying you need to repeat the preceding 'e' character 0 or more times.

If your process field contains C:\Windows\system32\cmd.exe ... then that should be the entry in the lookup and in the lookup entry you add * characters where you want to match any character in the data.

That * wildcarding is all that is supported in lookups.

Re: Lookup doesn't work with wildcard within strings

VK18 — Thu, 05 Oct 2023 02:18:21 GMT

Hi @bowesmana ,

Thank you for clarifying that Splunk lookup does not support regex patterns.

I have just attempted to include the following event in the Splunk lookup, with a wildcard at the end, in order to match other events occurring after "webextbridge.exe." But, looks like it is not working

Original event :-
C:\Windows\system32\cmd.exe /d /c C:\ProgramData\Symantec\Symantec Endpoint Protection\14.3.XXXX.5000.105\Data\Definitions\WebExtDefs\20230830.063\webextbridge.exe chrome-extension://XXXXXXXXXXXXXXXXXXXXXXXXXXXXX/ --parent-window=0 < \\.\pipe\chrome.nativeMessaging.in.XXXXXXXXXXXa3 > \\.\pipe\chrome.nativeMessaging.out.10f754de9b9001a3

Splunk lookup table field value :-
"C:\Windows\system32\cmd.exe /d /c C:\ProgramData\Symantec\Symantec Endpoint Protection\14.3.8289.5000.105\Data\Definitions\WebExtDefs\20230830.063\webextbridge.exe*"

Regards
VK

Re: Lookup doesn't work with wildcard within strings

bowesmana — Thu, 05 Oct 2023 06:07:02 GMT

That is really interesting and you are right - I tried these variants

C:\Windows\system32\cmd.exe /d /c C:\ProgramData\Symantec\Symantec Endpoint Protection\14.3.8289.5000.105\Data\Definitions\WebExtDefs\20230830.063\webextbridge.exe* C:\Windows\system32\cmd.exe /d /c C:\ProgramData\Symantec\Symantec Endpoint Protection\14.3.8* C:\Windows\system32\cmd.exe /d /c C:\ProgramData\Symantec\Symantec Endpoint Protection\*\webextbridge.exe*

and the top two do not work, the last does. If I make the second one end in 14.3.* then it DOES work.

Not sure what's going on there,