topic Re: Help on rex and regex in Splunk Search

How to extract and filter fields with rex and regex?

jip31 — Mon, 31 Jul 2023 17:56:32 GMT

I need help to extract and to filter fields with rex and regex

1) i need to use a rex field on path wich end by ".exe"

Example : in path C:\ProgramFiles\Toto\alert.exe in need to catch "alert.exe"

2)i need to filter events which have a path in AppData\Roaming and which end by .exe

I have done this but it doesnt works

| regex NewProcess=(?i)\\\\AppData\\\\Roaming\\\\[^\\\\]+\\.exe$"

Thanks

Re: Help on rex and regex

gcusello — Tue, 25 Jul 2023 15:03:59 GMT

Hi @jip31 ,

about the first question: the value to use is already in a field or in raw log?

if in a field you can use:

| rex field=your_field "(?<exe>\w+\.exe)"

if in the raw log, please share a sample of your logs so I can adapt the above regex.

About the second question, please share a sample of your logs.

Ciao.

Giuseppe

Re: Help on rex and regex

jip31 — Wed, 26 Jul 2023 10:34:30 GMT

It works fine for question 1 thanks

For question 2, i need to extract from the field NewProcessName the entire path each time there is AppData\Roaming in the path and whenever the path finish by .exe

Example : NewProcessName="....\....\AppData\Roaming\......\toto.exe"

In this case, i need to catch the entire path

Re: Help on rex and regex

gcusello — Wed, 26 Jul 2023 14:08:13 GMT

Hi @jip31 ,

I need a sample of the raw log to be sure of the regex.

Ciao.

Giuseppe

Re: Help on rex and regex

jip31 — Wed, 26 Jul 2023 16:25:33 GMT

Its not a raw log but a simple field which is in reality a path

When there is AppData\Roaming in this field and when this field end path by .exe, i need to catch it in a new path

For example if the field has the syntax below, i need to catch it

"C:\Users\....\AppData\Roaming\....\...\test.exe"

Sorry i cant share a true example due to sensible data

Re: Help on rex and regex

gcusello — Wed, 26 Jul 2023 18:01:08 GMT

Hi @jip31 ,

you could mask data replacing your words with non sense letters maintaining the same number anf types of chars.

Anyway, please try this:

| regex "C:\\Users\\.*\\AppData\\Roaming\\.*\\.*\\\w+.exe"

Ciao.

Giuseppe

Re: Help on rex and regex

jip31 — Fri, 28 Jul 2023 06:08:56 GMT

First, if i am not mistaken the diffetence between rex and regex is this one?

" rex will let you extract fields from your data. regex is quite a different thing - it's a search command that uses regular expression syntax to filter search results. It will not extract any fields."

Concernibg my need, i have a field called "NewProcessName" which contains different process path

In this field i need to find the path which contains AppData\\Roaming

So i have done this :

NewProcessName="*\\AppData\\Roaming\\*"

In my stats command, i do a values of this field : | stats values(NewProcessName) as summary

Now from the field summary i need to extract the end of this path which end by ".exe"

So i think i need a rex command to do this

Sorry for my mistake

Could you help please ?

Re: Help on rex and regex

gcusello — Fri, 28 Jul 2023 10:46:32 GMT

Hi @jip31,

yes, you're correct: rex extracts fields, regex searches for a string with rules.

If you want to have a statistic for the NewProcessName, you have to extract them and use this new field in the stats command.

You have only to understand (this is unoe of the requirements) if you want the full path or a part of it, then you can extract this fields using a regex and use it.

About the question of the search: yes you can search using the asterisks in the end and the beginning but it is less performant than a regex.

I hope to have helped you, if you nedd help to extract the newProcessname usig a regex, tell me. but if you need the full path you already have it (it's the starting point) if you don't want he full path, please give me the rules.

Ciao.

Giuseppe

Re: Help on rex and regex

gcusello — Sat, 29 Jul 2023 05:05:55 GMT

Hi @jip31,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉