topic search does not match token which contains file path with special characters in Splunk Search

search does not match token which contains file path with special characters

ToniHuynh — Tue, 18 Aug 2020 06:15:22 GMT

Hi Everyone,

I passed a token which contain a file path with some special character into a search but it does not show any result:

index=wineventlog EventCode=4660 OR EventCode=4663 Account_Name!="ANONYMOUS LOGON" host="MELFP" Account_Name!="*$" | eval ObjectName=urldecode("D:\Company Data\HR\Payroll\HR$ (MELFP02) (P) - Shortcut.lnk") | eval ObjectName=replace(ObjectName,"\\\\","\\\\\\") | where match(Object_Name,ObjectName) | table _time host Account_Name Account_Domain Object_Name Accesses EventCodeDescription | sort _time desc

However, If I compare directly as below then it would show result.

|search Object_Name="D:\\Company Data\\HR\Payroll\\HR$ (MELFP02) (P) - Shortcut.lnk"

Not sure why because if I shows the ObjectName, it is decoded correctly as below

"D:\\Company Data\\HR\Payroll\\HR$ (MELFP02) (P) - Shortcut.lnk"

Re: search does not match token which contains file path with special characters

richgalloway — Tue, 18 Aug 2020 13:42:02 GMT

The second argument to the match function must be a valid regular expression. While you've taken the precaution to escape the backslash characters, you must also do so with the other regex special characters such as $, (, and ..

If that's too much effort (understandable), try the like function, instead.

Re: search does not match token which contains file path with special characters

ToniHuynh — Wed, 02 Sep 2020 00:03:12 GMT

Thanks @richgalloway but like function still does not work for me.

| where like(Object_Name,ObjectName)

Re: search does not match token which contains file path with special characters

richgalloway — Wed, 02 Sep 2020 13:02:00 GMT

Are Object_Name and ObjectName identical? If not, does ObjectName contain pattern characters that would produce a match with Object_Name?