topic Re: Simple search extraction for lines of text with spaces ??? in Splunk Search

Simple search extraction for lines of text with spaces ???

AaronMoorcroft — Mon, 21 Jan 2019 15:13:37 GMT

Hey Guys,

I seem to be struggling to pull out some what I thought would be simple searches.

An example result could look like this -

CommandLine: net share

So how would I run a search to bring back only "CommandLine: net share" from within eventsas the results and not every event that contains CommandLine: and or net and or share

Thanks

Re: Simple search extraction for lines of text with spaces ???

gcusello — Mon, 21 Jan 2019 15:43:43 GMT

Hi AaronMoorcroft,
sorry but I'm not sure to have understood your question because answer is too easy:
do you want to insert in a search the exact string "CommandLine: net share" and not every single word?

if this is your question, answer is very simple:

index=my_index "CommandLine: net share"

In this way you're sure to find only the exact string and not the single words.

Bye.
Giuseppe

Re: Simple search extraction for lines of text with spaces ???

AaronMoorcroft — Tue, 29 Sep 2020 22:53:29 GMT

Hey Cusello,

you would think so right but that brings back no results for me at all, however if I do a ("CommandLine:" AND "net" AND "share" that will bring back some results as shown below however it brings back events that just contain either 1 or 2 of the other words where all I really want to see is events containing the exact match of "CommandLine: net share"

Dont worry the below systems are throw away lab systems so no corp data is available

Time Event
1/21/19
1:48:09.000 PM

01/21/2019 01:48:09 PM
LogName=Microsoft-Windows-Sysmon/Operational
SourceName=Microsoft-Windows-Sysmon
EventCode=1
EventType=4
Type=Information
ComputerName=DC01.PurpleHaze.local
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
TaskCategory=Process Create (rule: ProcessCreate)
OpCode=Info
RecordNumber=431111
Keywords=None
Message=Process Create:
RuleName:
UtcTime: 2019-01-21 13:48:09.340
ProcessGuid: {834924C0-CD99-5C45-0000-0010B3DAC700}
ProcessId: 4680
Image: C:\Windows\SysWOW64\net1.exe
FileVersion: 10.0.14393.0 (rs1_release.160715-1616)
Description: Net Command
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
CommandLine: C:\Windows\system32\net1 share
CurrentDirectory: C:\Windows\system32\
User: NT AUTHORITY\SYSTEM
LogonGuid: {834924C0-3E0A-5C40-0000-0020E7030000}
LogonId: 0x3E7
TerminalSessionId: 0
IntegrityLevel: System
Hashes: SHA1=382169595D5BBEB535C4575B3EC8CC7E5E933115
ParentProcessGuid: {834924C0-CD99-5C45-0000-00100FDAC700}
ParentProcessId: 1540
ParentImage: C:\Windows\SysWOW64\net.exe
ParentCommandLine: net share
Collapse
CommandLine = C:\Windows\system32\net1 share host = DC01 source = WinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype = WinEventLog:Microsoft-Windows-Sysmon/Operational

1/21/19
1:48:09.000 PM

01/21/2019 01:48:09 PM
LogName=Microsoft-Windows-Sysmon/Operational
SourceName=Microsoft-Windows-Sysmon
EventCode=1
EventType=4
Type=Information
ComputerName=DC01.PurpleHaze.local
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
TaskCategory=Process Create (rule: ProcessCreate)
OpCode=Info
RecordNumber=431110
Keywords=None
Message=Process Create:
RuleName:
UtcTime: 2019-01-21 13:48:09.330
ProcessGuid: {834924C0-CD99-5C45-0000-00100FDAC700}
ProcessId: 1540
Image: C:\Windows\SysWOW64\net.exe
FileVersion: 10.0.14393.0 (rs1_release.160715-1616)
Description: Net Command
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
CommandLine: net share
CurrentDirectory: C:\Windows\system32\
User: NT AUTHORITY\SYSTEM
LogonGuid: {834924C0-3E0A-5C40-0000-0020E7030000}
LogonId: 0x3E7
TerminalSessionId: 0
IntegrityLevel: System
Hashes: SHA1=B160F4462A4728BEC8FA053B99709622A4B4DD20
ParentProcessGuid: {834924C0-C9D7-5C45-0000-0010FCA2C500}
ParentProcessId: 3064
ParentImage: C:\Windows\SysWOW64\cmd.exe
ParentCommandLine: C:\Windows\system32\cmd.exe
Collapse
CommandLine = net share host = DC01 source = WinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype = WinEventLog:Microsoft-Windows-Sysmon/Operational

Re: Simple search extraction for lines of text with spaces ???

gcusello — Mon, 21 Jan 2019 16:24:22 GMT

Hi AaronMoorcroft,
in the first sample you shared I see:
ParentCommandLine: net share that matches your string but before the string there's an additional word, instead in the second one I see CommandLine: net share that exactly matches your search.
To distinguish the two events, you could use the regex command:

| regex "\s+CommandLine: net share"

you can test it at https://regex101.com/r/N9cnAe/1

Bye.
Giuseppe

Re: Simple search extraction for lines of text with spaces ???

woodcock — Mon, 21 Jan 2019 19:41:08 GMT

Try this:

"CommandLine: net share" | regex "(?m)[\r\n\s]CommandLine: net share"

Re: Simple search extraction for lines of text with spaces ???

AaronMoorcroft — Tue, 22 Jan 2019 14:43:56 GMT

Hey guys,

Thanks for the advice, still not working im afraid, I can see that it works on Regex101 also managed to get it working on Regex101 with ^[a-zA-Z]+:[\s[a-z]+\s[a-z]+$

When its thrown into Splunk it still doesn't work, I swappped the [ ] for ( ) too as [ ] dont work in Splunk.... Ill keep trying

🙂

Cheers

Re: Simple search extraction for lines of text with spaces ???

woodcock — Tue, 22 Jan 2019 15:26:40 GMT

I updated my answer.

Re: Simple search extraction for lines of text with spaces ???

AaronMoorcroft — Tue, 22 Jan 2019 15:38:20 GMT

still the same i'm afraid no results... very much appreciate your assistance though 🙂

Re: Simple search extraction for lines of text with spaces ???

woodcock — Tue, 22 Jan 2019 15:44:44 GMT

You must not swap [] for () because it completely changes the RegEx. Did you try mine exactly as I showed it or did you modify it?

Re: Simple search extraction for lines of text with spaces ???

AaronMoorcroft — Tue, 22 Jan 2019 15:48:44 GMT

exactly as yours pal