topic Re: Escaping quotes in where command in Splunk Search

Escaping quotes in where command

Sasquatchatmars — Thu, 15 Oct 2020 08:49:52 GMT

Hi all,

I have been trying to use a where command but I'm stuck because of the double quotes that I can't escape.

My command is this

| where match(content_body,"\"https://.*".recipient.".*\"")

I have the feeling that this isn't the right way to do it, I got no results but I'm almost sure there are. When I change it to

| where match(content_body,"<https://.*".recipient.".*>")

I get the other results that I want. So I think it is only the escaping that doesn't work accordingly. Can someone confirm if I am right or not?

Thank you

Sasquatchatmars

Re: Escaping quotes in where command

ITWhisperer — Thu, 15 Oct 2020 08:22:56 GMT

The escaping looks right. Does the recipient field have the value you are searching for, as it would be found in the content_body field of the same event?

Re: Escaping quotes in where command

Sasquatchatmars — Thu, 15 Oct 2020 08:28:09 GMT

Hi @ITWhisperer,

Thank you for your reply. Yes it is exactly the same, that is why I don't understand why it doesn't work

Sasquatchatmars

Re: Escaping quotes in where command

ITWhisperer — Thu, 15 Oct 2020 08:31:32 GMT

Can you share the rest of your query and a line or two from your logs (anonymised of course)?

Re: Escaping quotes in where command

Sasquatchatmars — Thu, 15 Oct 2020 09:13:20 GMT

This is my search query.

index=[index_name] | rename content_body{} AS content_body, receiver_email{} AS receiver_email | where match(content_body,"\"https://.*".recipient.".*\" ") | dedup sender_email | table recipient sender_email content_body username

FIY recipient is firstname.lastname@domainname

And the part of the log is

"https://f22c834a4f224bcbb563c127f7a8477f.svc.dynamics.com/t/r/zyqi3= CfkIaT_ZSLfiMGTiZjG5y-6Cc5jKCmGO0YH-Nc#[recipient]:e8990=3D23" /!\ Be aware, this link is a phishing link /!\

Re: Escaping quotes in where command

ITWhisperer — Thu, 15 Oct 2020 08:56:42 GMT

If recipient is firstname.lastname@domainname, is this the same as receiver_email? Can you use

| where match(content_body,"\"https://.*".receiver_email.".*\" ")

Re: Escaping quotes in where command

Sasquatchatmars — Thu, 15 Oct 2020 08:59:34 GMT

Yes it is the same, splunk has made two field one with receiver_email and the other is recipient but they are the same.

If I replace my command with yours it doesn't work either.

Re: Escaping quotes in where command

ITWhisperer — Thu, 15 Oct 2020 09:05:59 GMT

The example you gave doesn't have a firstname.lastname@domainname in it. I assume this is because you anonymised it. But you have also anonymised username which you say works. There doesn't appear to be anything wrong with your match, so the conclusion is that there are no matches in your data.

Re: Escaping quotes in where command

Sasquatchatmars — Thu, 15 Oct 2020 09:12:42 GMT

I made indeed an error because in the log part it isn't supposed to be "username" but "recipient" I will made the change.

Maybe there is no hit but in that case I don't know what I should use as search to verify if the field "recipient" is in the url. Do you maybe know it?

Re: Escaping quotes in where command

ITWhisperer — Fri, 16 Oct 2020 10:06:43 GMT

content_body needs to be rebuilt as a complete string

| eval content_body=mvjoin(content_body,"") | rex field=content_body mode=sed "s/=[\n\r]+//g"

Re: Escaping quotes in where command

Sasquatchatmars — Fri, 16 Oct 2020 10:09:09 GMT

Thank you very much for your help, this is what i needed!