topic Re: Using Rex to pull out a file path , file name and extension from verbose message field in Splunk Search

Using Rex to pull out a file path , file name and extension from verbose message field

ViperV — Mon, 08 Feb 2021 07:08:48 GMT

Hi all,

I'm new to splunk searches and would appreciate some help to find out how to pull out the file path, file name and file extension from the message field(example below)

The message has verbose text and the path occurs twice within the text. In this example I'd be looking to extract from within the text the file path, file name and file extension and present them in a four column table along with the the time of the event.

Thanks in advance!

Message=Code Integrity determined that a process (\Device\HarddiskVolume1\Program Files\SplunkUniversalForwarder\bin\splunkd.exe) attempted to load \Device\HarddiskVolume1\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe that did not meet the Enterprise signing level requirements or violated code integrity policy (Policy ID:{a244370e-44c9-4c06-b551-f6016e563076}). However, due to code integrity auditing policy, the image was allowed to load.

Re: Using Rex to pull out a file path , file name and extension from verbose message field

gcusello — Mon, 08 Feb 2021 07:37:22 GMT

Hi @ViperV,

I didn't undestand if you need to extract the first path or the second.

Anyway, the first extraction is:

| rex "\((?<path>\\.*\\bin\\)(?<file>[^\.]+)\.(?<ext>\w+)\)"

that you can test at https://regex101.com/r/DN7taY/1

the second one is:

| rex "\s(?<path>\\.*\\bin\\)(?<file>[^\.]+)\.(?<ext>\w+)\s"

that you can test at \s(?<path>\\.*\\bin\\)(?<file>[^\.]+)\.(?<ext>\w+)\s

Ciao.

Giuseppe

Re: Using Rex to pull out a file path , file name and extension from verbose message field

ViperV — Mon, 08 Feb 2021 08:22:48 GMT

Grazie Giuseppe!

I got the following error on trying the code

Error in 'rex' command: Encountered the following error while compiling the regex '\s(?<path>\.*\bin\)(?<file>[^\.]+)\.(?<ext>\w+)\s': Regex: missing closing parenthesis.

should i be closing it with an extra parenthesis?

i guess to create a table i do the following?

...|table path, file, ext

Re: Using Rex to pull out a file path , file name and extension from verbose message field

gcusello — Mon, 08 Feb 2021 08:30:07 GMT

Hi @ViperV,

beware: that are two backslashes three times in the first part of the regex, not one:

| rex "\s(?<path>\\.*\\bin\\)(?<file>[^\.]+)\.(?<ext>\w+)\s"

because you have backslash in your path but backslash is a special char in regexes that must be escaped with another backslash.

Ciao.

Giuseppe

Re: Using Rex to pull out a file path , file name and extension from verbose message field

ViperV — Mon, 08 Feb 2021 08:42:56 GMT

Great, thanks!

Would that also work for the following type of path?

(\Device\HarddiskVolume1\Windows\explorer.exe) attempted to load \Device\HarddiskVolume1\Users\vagrant\Downloads\kitty-0.74.4.6.exe

Re: Using Rex to pull out a file path , file name and extension from verbose message field

gcusello — Mon, 08 Feb 2021 09:07:50 GMT

Hi @ViperV,

you have to use a different regex for a di fferent log:

| rex "\((?<path>\\.+)\\(?<file>[^\.]+)\.(?<ext>[^\)]+)\)"

that you can test at https://regex101.com/r/ZJ0Fyv/1

or the second:

| rex "\s(?<path>\\.+)\\(?<file>.+)\.(?<ext>[^\)]+)"

that you can test at https://regex101.com/r/ZJ0Fyv/1

If this answer solves your need, please accept it for the other people of Community.

Ciao.

Giuseppe

P.S.: Karma Points are appreciated 😉

Re: Using Rex to pull out a file path , file name and extension from verbose message field

ViperV — Mon, 08 Feb 2021 09:11:49 GMT

Works a charm! thanks!