https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-append-concatenate-regexes-for-one-field-check/m-p/457858#M129301 <P>Currently I have a search as follows:</P> <PRE><CODE>myFieldName="mySearchValue" | where match(path,`startOfPath`) `startOfPath` expands to f.e. "^C\:\\\Windows\\\.*" </CODE></PRE> <P>Some cases, however, I'd need to specify additional paths. In order to avoid to have a lot of repetition, my question was whether it was possible to use <CODE>startOfPath</CODE> + rest of path to validate the path.</P> <P>As requested by mydog8it I'll elaborate with a concrete example of what I'm trying to accomplish.</P> <P>macro 1 : filter_CLIENT_CONTROL<BR /> <CODE>ThreatName="Client Control" | where match(SourcePath,`path_windows` + CustomRestOfPath)</CODE></P> <P>macro 2 : path_windows<BR /> <CODE>"^C\:\\\Windows\\\.*"</CODE></P> <P>Whilst what I'm trying to accomplish is as follows for the filter_CLIENT_CONTROL macro:<BR /> <CODE>ThreatName="Client Control" | where match(SourcePath,`path_windows` + ".*\\(COMPATTELRUNNER)\.EXE" ")</CODE></P> <P>So in essence, the regex within the <CODE>filter_CLIENT_CONTROL</CODE> macro expands to <CODE>^C\:\\(WINDOWS)\\.*\\(COMPATTELRUNNER)\.EXE</CODE></P> <P>Thank you</P> Tue, 29 Sep 2020 23:50:01 GMT hexerino 2020-09-29T23:50:01Z https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-append-concatenate-regexes-for-one-field-check/m-p/457858#M129301 <P>Currently I have a search as follows:</P> <PRE><CODE>myFieldName="mySearchValue" | where match(path,`startOfPath`) `startOfPath` expands to f.e. "^C\:\\\Windows\\\.*" </CODE></PRE> <P>Some cases, however, I'd need to specify additional paths. In order to avoid to have a lot of repetition, my question was whether it was possible to use <CODE>startOfPath</CODE> + rest of path to validate the path.</P> <P>As requested by mydog8it I'll elaborate with a concrete example of what I'm trying to accomplish.</P> <P>macro 1 : filter_CLIENT_CONTROL<BR /> <CODE>ThreatName="Client Control" | where match(SourcePath,`path_windows` + CustomRestOfPath)</CODE></P> <P>macro 2 : path_windows<BR /> <CODE>"^C\:\\\Windows\\\.*"</CODE></P> <P>Whilst what I'm trying to accomplish is as follows for the filter_CLIENT_CONTROL macro:<BR /> <CODE>ThreatName="Client Control" | where match(SourcePath,`path_windows` + ".*\\(COMPATTELRUNNER)\.EXE" ")</CODE></P> <P>So in essence, the regex within the <CODE>filter_CLIENT_CONTROL</CODE> macro expands to <CODE>^C\:\\(WINDOWS)\\.*\\(COMPATTELRUNNER)\.EXE</CODE></P> <P>Thank you</P> Tue, 29 Sep 2020 23:50:01 GMT https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-append-concatenate-regexes-for-one-field-check/m-p/457858#M129301 hexerino 2020-09-29T23:50:01Z https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-append-concatenate-regexes-for-one-field-check/m-p/457859#M129302 <P>Can you provide example data and an example of how you would like it parsed? It sounds to me like you could just use two capture groups with the names "startOfPath" and another named "restOfPath". </P> Thu, 28 Mar 2019 13:04:23 GMT https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-append-concatenate-regexes-for-one-field-check/m-p/457859#M129302 mydog8it 2019-03-28T13:04:23Z https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-append-concatenate-regexes-for-one-field-check/m-p/457860#M129303 <P>After having provided information but not having received any feedback I solved the problem through an alternative approach.</P> Wed, 17 Apr 2019 10:04:52 GMT https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-append-concatenate-regexes-for-one-field-check/m-p/457860#M129303 hexerino 2019-04-17T10:04:52Z