https://community.splunk.com/t5/Splunk-Search/REGEX-issue-with-multiple-criteria/m-p/56371#M13798 <P>Hi All,</P> <P>I'm trying to filter our file audit logs, however I would like for it to ignore any files ending in .tmp</P> <P>I can't seem to get the below to work properly... it seems to match on the event code and the Accesses but completely miss the Object Name for some reason?</P> <P>REGEX = (?msi)EventCode=(4663|567|560).<EM>Object Name:\s</EM>(?!.tmp).<EM>Accesses:\s</EM>(DELETE|WRITE_DAC|WriteData)</P> <P>An example log is:</P> <P>20110309155132.000000<BR /> Category=3<BR /> CategoryString=Object Access<BR /> ComputerName=ComputerName<BR /> EventCode=560<BR /> EventIdentifier=560<BR /> EventType=4<BR /> Logfile=Security<BR /> RecordNumber=2572431<BR /> SourceName=Security<BR /> TimeGenerated=20110309155132.000000+600<BR /> TimeWritten=20110309155132.000000+600<BR /> Type=Audit Success<BR /> User=<STRONG>Username</STRONG><BR /> wmi_type=WinEventLog:Security<BR /> Message=Object Open: </P> <PRE><CODE>Object Server: Security Object Type: File Object Name: G:\users\xxxxxx\Outlook .pst folders\~archive.pst.tmp Handle ID: 7420 Operation ID: {0,239001151} Process ID: 4 Image File Name: Primary User Name: SERVER$ Primary Domain: XXX Primary Logon ID: (0x0,0x3E7) Client User Name: User Client Domain: Domain Client Logon ID: (0x0,0xBA49FA7) Accesses: DELETE ReadAttributes Privileges: - Restricted Sid Count: 0 Access Mask: 0x10080 </CODE></PRE> <P>Any idea's as to where I'm going wrong would be appreciated....</P> <P>Thanks,</P> <P>DB</P> Wed, 09 Mar 2011 13:59:24 GMT Scarecrowddb 2011-03-09T13:59:24Z https://community.splunk.com/t5/Splunk-Search/REGEX-issue-with-multiple-criteria/m-p/56371#M13798 <P>Hi All,</P> <P>I'm trying to filter our file audit logs, however I would like for it to ignore any files ending in .tmp</P> <P>I can't seem to get the below to work properly... it seems to match on the event code and the Accesses but completely miss the Object Name for some reason?</P> <P>REGEX = (?msi)EventCode=(4663|567|560).<EM>Object Name:\s</EM>(?!.tmp).<EM>Accesses:\s</EM>(DELETE|WRITE_DAC|WriteData)</P> <P>An example log is:</P> <P>20110309155132.000000<BR /> Category=3<BR /> CategoryString=Object Access<BR /> ComputerName=ComputerName<BR /> EventCode=560<BR /> EventIdentifier=560<BR /> EventType=4<BR /> Logfile=Security<BR /> RecordNumber=2572431<BR /> SourceName=Security<BR /> TimeGenerated=20110309155132.000000+600<BR /> TimeWritten=20110309155132.000000+600<BR /> Type=Audit Success<BR /> User=<STRONG>Username</STRONG><BR /> wmi_type=WinEventLog:Security<BR /> Message=Object Open: </P> <PRE><CODE>Object Server: Security Object Type: File Object Name: G:\users\xxxxxx\Outlook .pst folders\~archive.pst.tmp Handle ID: 7420 Operation ID: {0,239001151} Process ID: 4 Image File Name: Primary User Name: SERVER$ Primary Domain: XXX Primary Logon ID: (0x0,0x3E7) Client User Name: User Client Domain: Domain Client Logon ID: (0x0,0xBA49FA7) Accesses: DELETE ReadAttributes Privileges: - Restricted Sid Count: 0 Access Mask: 0x10080 </CODE></PRE> <P>Any idea's as to where I'm going wrong would be appreciated....</P> <P>Thanks,</P> <P>DB</P> Wed, 09 Mar 2011 13:59:24 GMT https://community.splunk.com/t5/Splunk-Search/REGEX-issue-with-multiple-criteria/m-p/56371#M13798 Scarecrowddb 2011-03-09T13:59:24Z https://community.splunk.com/t5/Splunk-Search/REGEX-issue-with-multiple-criteria/m-p/56372#M13799 <P>Can you post some sample log records ?</P> Wed, 09 Mar 2011 23:06:19 GMT https://community.splunk.com/t5/Splunk-Search/REGEX-issue-with-multiple-criteria/m-p/56372#M13799 wollinet 2011-03-09T23:06:19Z https://community.splunk.com/t5/Splunk-Search/REGEX-issue-with-multiple-criteria/m-p/56373#M13800 <P>Hi there, I've posted an example log above now.... thanks!</P> Thu, 10 Mar 2011 06:31:29 GMT https://community.splunk.com/t5/Splunk-Search/REGEX-issue-with-multiple-criteria/m-p/56373#M13800 Scarecrowddb 2011-03-10T06:31:29Z https://community.splunk.com/t5/Splunk-Search/REGEX-issue-with-multiple-criteria/m-p/56374#M13801 <P>Try this one:</P> <PRE><CODE>REGEX = (?msi)EventCode=(4663|567|560).Object Name:\s(?&lt;!\.tmp).Accesses:\s(DELETE|WRITE_DAC|WriteData) </CODE></PRE> <P>But I wonder if simply using "." to match over several lines really works. You can also try something like this:</P> <PRE><CODE>REGEX = (?mi)^EventCode=(4663|567|560).*^Object Name:.*\.tmp$.*^Accesses:\s(DELETE|WRITE_DAC|WriteData) </CODE></PRE> Thu, 10 Mar 2011 19:11:14 GMT https://community.splunk.com/t5/Splunk-Search/REGEX-issue-with-multiple-criteria/m-p/56374#M13801 wollinet 2011-03-10T19:11:14Z https://community.splunk.com/t5/Splunk-Search/REGEX-issue-with-multiple-criteria/m-p/56375#M13802 <P>Hi There... sorry, but neither of the above works....</P> <P>Any other suggestions?</P> Fri, 11 Mar 2011 05:16:43 GMT https://community.splunk.com/t5/Splunk-Search/REGEX-issue-with-multiple-criteria/m-p/56375#M13802 Scarecrowddb 2011-03-11T05:16:43Z https://community.splunk.com/t5/Splunk-Search/REGEX-issue-with-multiple-criteria/m-p/56376#M13803 <P>Any other idea's??</P> Mon, 14 Mar 2011 06:26:28 GMT https://community.splunk.com/t5/Splunk-Search/REGEX-issue-with-multiple-criteria/m-p/56376#M13803 Scarecrowddb 2011-03-14T06:26:28Z https://community.splunk.com/t5/Splunk-Search/REGEX-issue-with-multiple-criteria/m-p/56377#M13804 <P>Just tried something like this and it seems to work:</P> <P>(?msi)^EventCode=(540|567|560).<EM>Object Name:.</EM>.tmp.*Accesses:\s(DELETE|WRITE_DAC|WriteData)</P> <P>I couldn't try your exact pattern, but used a similar expression.</P> Wed, 16 Mar 2011 14:02:59 GMT https://community.splunk.com/t5/Splunk-Search/REGEX-issue-with-multiple-criteria/m-p/56377#M13804 wollinet 2011-03-16T14:02:59Z