topic Why is subsearch not working with regex? in Splunk Search

Why is subsearch not working with regex?

asaphappy — Tue, 11 Apr 2023 22:02:36 GMT

I'm attempting to find file downloads within a 2 minute timespan following a browser being spawned from outlook (my subsearch). Everything works find (the search andsubsearch) until I add the regex command limiting the filepath to the downloads folder.

I'm getting the error "Error in 'SearchOperator:regex': Usage: regex <field> (=|!=) <regex>."

Can anyone help me understand why the regex command is throwing it off? I think it's because it's taking the subsearch as part of the regex syntax but I don't know how to separate the two.

Search:

index=random_index event_simpleName=*FileWritten
| regex TargetFileName="^[\WD]\w*\S*\W(?:Users)\W\w+\.\w+\W(?:Downloads)\W\w+"
[search index=random_index* sourcetype=stuff event_simpleName=ProcessRollup* ParentBaseFileName=OUTLOOK.EXE ImageFileName IN (*firefox* *chrome* *edge*) CommandLine IN (*sharepoint.com*) NOT CommandLine IN (*vendor*)
| rename _time AS earliest
| eval latest=relative_time(_time,"+5min@min")
| table aid earliest latest
| format]
| table _time aid TargetFileName

Re: Subsearch not working with regex

yeahnah — Tue, 11 Apr 2023 21:19:21 GMT

Hi @asaphappy

The regex command will only filter results that match or not match (!=) the regular expression. Try removing the non capture group syntax and see if it helps, i.e.

| regex TargetFileName="^[\WD]\w*\S*\WUsers\W\w+\.\w+\WDownloads\W\w+"

If you are looking to use capture groups to pull fields out then use the rex command instead.

Hope that helps

Re: Subsearch not working with regex

asaphappy — Tue, 11 Apr 2023 21:23:08 GMT

Thanks for the reply.

That regex string actually works -- I tried the primary search alone and it did pull back all the results I was looking for. I did attempt to change the regex to the method you suggested but that still gave me the same error.

Re: Subsearch not working with regex

yeahnah — Tue, 11 Apr 2023 21:26:22 GMT

Ah yes, I had a closer look at your SPL query and see what your mean (hint: use the Insert/Edit code sample when adding SPL as it helps in readability.

Anyway, as you suspected the regex should come after the subsearch, which I suspect is supposed to be a filter for the base search. So something like this

index=random_index event_simpleName=*FileWritten [search index=random_index* sourcetype=stuff event_simpleName=ProcessRollup* ParentBaseFileName=OUTLOOK.EXE ImageFileName IN (*firefox* *chrome* *edge*) CommandLine IN (*sharepoint.com*) NOT CommandLine IN (*vendor*) | rename _time AS earliest | eval latest=relative_time(_time,"+5min@min") | table aid earliest latest | format ] | regex TargetFileName="^[\WD]\w*\S*\W(?:Users)\W\w+\.\w+\W(?:Downloads)\W\w+" | table _time aid TargetFileName

Re: Subsearch not working with regex

asaphappy — Wed, 12 Apr 2023 13:48:23 GMT

Sorry, this is my first time posting. I'll make sure to do that next time.

I tried your suggestion (moving the regex to after the subsearch) previously and the search returned with only the base search without the subsearch results fed into the base. So what I would see is all of the downloaded files of different users, but it should only be for that small subset of hosts that were seen spawning a browser from outlook.

Re: Subsearch not working with regex

ITWhisperer — Wed, 12 Apr 2023 14:05:09 GMT

Can you share some anonymised examples of events you would expect to keep and events you would expect to have been excluded by the regex. Please share in a code block </> so we can copy them to test solutions with.

Re: Subsearch not working with regex

asaphappy — Wed, 12 Apr 2023 15:23:54 GMT

Sure!

Events to keep:

\Device\HarddiskVolume3\Users\jill.michaels\Downloads\46.pdf \Device\HarddiskVolume3\Users\funny.bunny\Downloads\randomclientform.pdf \Device\HarddiskVolume3\Users\miley.cyrus\Downloads\data\uber.jar

Events to filter out

\Device\HarddiskVolume3\Users\random.user\AppData\Local\Temp\screenshot11913941210533618901.png \Device\HarddiskVolume3\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe

Re: Subsearch not working with regex

ITWhisperer — Wed, 12 Apr 2023 15:41:34 GMT

These events seem to be missing a number of significant fields: event_simpleName, ParentBaseFileName, ImageFileName, CommandLine, _time, aid

Re: Why is subsearch not working with regex?

woodcock — Wed, 12 Apr 2023 22:26:03 GMT

The subsearch, as written, must be an argument to "| search" so try this:

index=random_index event_simpleName=*FileWritten
| regex TargetFileName="^[\WD]\w*\S*\W(?:Users)\W\w+\.\w+\W(?:Downloads)\W\w+"
| search [search index=random_index* sourcetype=stuff event_simpleName=ProcessRollup* ParentBaseFileName=OUTLOOK.EXE ImageFileName IN (*firefox* *chrome* *edge*) CommandLine IN (*sharepoint.com*) NOT CommandLine IN (*vendor*)
| rename _time AS earliest
| eval latest=relative_time(_time,"+5min@min")
| table aid earliest latest
| format]
| table _time aid TargetFileName

Re: Why is subsearch not working with regex?

yeahnah — Wed, 12 Apr 2023 22:36:08 GMT

OK cool, I did not know that.