topic Re: Escaping (*) in Fieldvalues while inputlookup in Splunk Enterprise

Escaping (*) in Fieldvalues while inputlookup

twjack — Tue, 10 Oct 2017 12:59:38 GMT

Hello everyone, I have the following problem.

My Inputlookup (a whiltelist) has the following data structure:

host,dest_host,Host_Application
host1, dest_Host1,Host_Application1
host2, dest_Host2,Host_*2

My inputlookup is structured as follows:

NOT 
    [| inputlookup something2exclude.csv 
    | table * ]

The normalized search looks good for the first row (host1):

(host=host1 AND dest_Host=dest_Host1 AND Host_Application=Host_Application1)

But, for the second row I get an error message:

...contains a wildcard in the middle of a word or string. This might cause inconsistent results if the characters that the wildcard represents include punctuation.

How can I exclude the asterisk as fieldvalue while inputlookup?

Re: Escaping (*) in Fieldvalues while inputlookup

sbbadri — Tue, 29 Sep 2020 16:13:09 GMT

@twjack
try this,

| inputlookup something.csv | eval Host_Application=replace(Host_Application,"\*","#") | rest of your search

Re: Escaping (*) in Fieldvalues while inputlookup

twjack — Tue, 10 Oct 2017 15:18:17 GMT

Here is an example of the original field content that should not appear in the search results:

"C:\Windows\SYSNATIVE\WINDOW~1\v1.0\powershell.exe -command stop-process -processname DeployControlFullScanSCEP* -force".

All results with the following combination should no longer be present in the search results:

Host_Application="C:\Windows\SYSNATIVE\WINDOW~1\v1.0\powershell.exe -command stop-process -processname DeployControlFullScanSCEP* -force"

If I replace the asterisk with "#" then Splunk will not find the string and will not remove the results. In a search, I'd put it this way:

Host_Application!="C: \Windows\SYSNATIVE\WINDOW~1\v1.0\powershell.exe -command stop-process -process name DeployControlFullScanSCEP* -force".

or even

NOT Host_Application="C: \Windows\SYSNATIVE\WINDOW~1\v1.0\powershell.exe -command stop-process -processname DeployControlFullScanSCEP* -force".

Technically my variant listed below works, the results are filtered but Splunk complains about the asterisk.

NOT
    [| inputlookup something2exclude.csv 
    table *]

Re: Escaping (*) in Fieldvalues while inputlookup

blacknight659 — Tue, 10 Oct 2017 15:42:49 GMT

If you don't follow the Eval from @twjack, I would extract the value and remove the "*".

NOT
[| inputlookup something.csv | fields host, dest_host, Host_Application]
| rex field=Host_Application "*(?<Host_ApplicationNew>[a-zA-Z]*)"

Re: Escaping (*) in Fieldvalues while inputlookup

twjack — Tue, 10 Oct 2017 17:15:02 GMT

To make it easier to understand and avoid confusion.

Assuming I have these kind of log entries:

2017-10-10 10:53  <dest_host = dest_host2.domain.com> <Host_Application = C: \Windows\SYSNATIVE\WINDOW~1\v1.0\powershell. exe -command stop-process -process name DeployControlFullScanSCEP*>
-force>

and

2017-10-10 10:55  <dest_host = dest_host1.domain.com> <Host_Application = C: \Windows\SYSNATIVE\WINDOW~1\v1.0\powershell. exe>

and a lookupfile called exclude.csv with the following structure:

host, dest_host, Host_Application
host1, dest_host1.domain.com, C:\Windows\SYSNATIVE\WINDOW~1\v1.0\powershell.exe
host2, dest_host2.domain.com, C:\Windows\SYSNATIVE\WINDOW~1\v1.0\powershell.exe -command stop-process -processname DeployControlFullScanSCEP* -force

To test my whitelisting I narrow down the results with the following search to get only these events.

index=powershell Host_Application="C:\\Windows\\SYSNATIVE\\WINDOW~1\\v1.0\\powershell.exe -command stop-process -processname DeployControlFullScanSCEP* -force" OR Host_Application="C:\\Windows\\SYSNATIVE\\WINDOW~1\\v1.0\\powershell.exe"
| table host dest_host Host_Application

I get the correct table:

host, dest_host, Host_Application
host1, dest_host1.domain.com, C:\Windows\SYSNATIVE\WINDOW~1\v1.0\powershell.exe
host2, dest_host2.domain.com, C:\Windows\SYSNATIVE\WINDOW~1\v1.0\powershell.exe -command stop-process -processname DeployControlFullScanSCEP* -force

Now it's time to make this result disappear through a inputlookup and see if the whitelisting works.

index=powershell Host_Application="C:\\Windows\\SYSNATIVE\\WINDOW~1\\v1.0\\powershell.exe -command stop-process -processname DeployControlFullScanSCEP* -force" OR Host_Application="C:\\Windows\\SYSNATIVE\\WINDOW~1\\v1.0\\powershell.exe" NOT 
    [| inputlookup exclude.csv | table * ]

It works but Splunk complains about the asterisk:

...contains a wildcard in the middle
of a word or string. This might cause
inconsistent results if the characters
that the wildcard represents include
punctuation.

I just can't figure out a solution that would satisfy Splunk. I hope that I was able to express my challenge more clearly.

Re: Escaping (*) in Fieldvalues while inputlookup

blacknight659 — Tue, 10 Oct 2017 18:46:27 GMT

Ok, how about this crazy idea.

|inputlookup exclude.csv
| eval Host_Application=replace(Host_Application,"\*","#") 
| outputlookup exclude2.csv

Then change the .csv from your original search to the new one.

Re: Escaping (*) in Fieldvalues while inputlookup

twjack — Tue, 10 Oct 2017 19:18:55 GMT

@blacknight659

This doesn't work because the string will no longer match and the results won't be filtered out.