topic Re: Splunk Regex Question in Splunk Enterprise

Splunk Regex Question

Bhart1 — Mon, 16 Jun 2025 18:32:41 GMT

I have a question regarding how to handle a regex query in a macro. Below I have a regex similar to the one I'm doing that matches when i use a regex checker, but when I try and add it to a simple search macro in splunk it gives an error:

Error:
Error in 'SearchOperator:regex': Usage: regex <field> (=|!=) <regex>.

Macro tied to the rule. Basically has a first part of a script, then IP address it ignores, and then a second part of the script. One below is really simplified but gets same error:

Regex Example:
| regex [field] !="^C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" "Resolve-DnsName \b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b \| Select-Object -Property NameHost$"

String to check against in this example:
C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "Resolve-DnsName 0.0.0.0 | Select-Object -Property NameHost

I feel like this should work, but maybe there is something I'm missing on how Splunk handles regex and how I need to tweak it.

Any info on this would be greatly appreciated.
Thanks.

Re: Splunk Regex Question

richgalloway — Mon, 16 Jun 2025 19:36:05 GMT

[field] is improper syntax for the regex command. Use the field name by itself. If it's an argument to a macro then use $field$.

Re: Splunk Regex Question

Bhart1 — Mon, 16 Jun 2025 19:59:55 GMT

Oh apologies for the misunderstanding. That's not how it really is. I just have that as a placeholder for the real field.

It's like this:

| regex fieldname !=

Re: Splunk Regex Question

richgalloway — Mon, 16 Jun 2025 20:14:53 GMT

Please put the *real* and *complete* macro definition in a code block so we know exactly what we're working with and can test it in our own sandboxes. Please also include how the macro is used in a query.

Re: Splunk Regex Question

Bhart1 — Mon, 16 Jun 2025 20:46:37 GMT

@richgalloway

Rule looking up process info in general:

| tstats `content_summariesonly` values(Processes.process_id) as process_id, values(Processes.parent_process_id) as parent_process_id values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` (Processes.process="* -ex*" AND Processes.process="* bypass *") by Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| 'exceptions`
| stats values(dest) count by process, parent_process

Macro (exceptions):

search process != "blah"
| regex process !="^C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" "Resolve-DnsName \b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b \| Select-Object -Property NameHost$"

Re: Splunk Regex Question

PickleRick — Mon, 16 Jun 2025 21:29:08 GMT

Ok. Firstly, it's bad syntax. The syntax (in your case) should be

| regex field!="regex"

while you have

| regex field!="regex" "something else"

And secondly, the regex provided as a string is subject to the normal string escaping rules. So your "\\W" becomes efectively a regex for \W, which means "any non-word character" and so on. You should also escape the backslashes for the actual regex classes. So instead of "\d" you should use "\\d" and so on.

Re: Splunk Regex Question

Bhart1 — Mon, 16 Jun 2025 21:49:04 GMT

So is there no way to have it match the first and last strings while excluding a certain middle part? Something like:

"[string1, regex to exclude middle part, string2]"

I mean it's pretty clear with the matching string and regex that the point is to match everything but the changing IP.

C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "Resolve-DnsName 0.0.0.0 | Select-Object -Property NameHost

Re: Splunk Regex Question

richgalloway — Tue, 17 Jun 2025 00:07:31 GMT

@Bhart1 wrote:
So is there no way to have it match the first and last strings while excluding a certain middle part? Something like:

"[string1, regex to exclude middle part, string2]"

I mean it's pretty clear with the matching string and regex that the point is to match everything but the changing IP.

C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "Resolve-DnsName 0.0.0.0 | Select-Object -Property NameHost

You can do that, and it's done all the time. However, the regular expression MUST be a single quoted string. Something like this.

| regex process !="^C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe Resolve-DnsName \b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b \| Select-Object -Property NameHost$"

I disagree with @PickleRick about the escaping. I think you have that part right.

Re: Splunk Regex Question

PickleRick — Tue, 17 Jun 2025 05:32:03 GMT

@richgalloway I disagree with your disagreeing 😉

| makeresults
| eval s="c:\\windows"
| regex s="c:\\\\windows"

This one returns a result while this one

| makeresults
| eval s="c:\\windows"
| regex s="c:\\windows"

doesn't.

@Bhart1 I'm not sure what you mean by "exclude" here. In any case you just need a single regex to match. If you wan to match anything having parts matching both regexes, you might simply join them with a "match anything" .*. Like

|regex field!="C:\\\\WINDOWS\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe.*Resolve-DnsName \\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3} \\| Select-Object -Property NameHost"