https://community.splunk.com/t5/Splunk-Search/Problem-in-parsing-Powershell-commands/m-p/687649#M234525 <P>What is your full current search?</P> Wed, 15 May 2024 17:39:14 GMT ITWhisperer 2024-05-15T17:39:14Z https://community.splunk.com/t5/Splunk-Search/Problem-in-parsing-Powershell-commands/m-p/687498#M234470 <P>Hello Community!<BR />I am trying to set up a search to monitor Powershell commands from Windows hosts; specifically, I am starting from:</P><UL><LI>an index with the full messages related to PS commands, contained in a field named "<EM>Message</EM>"<UL><LI>(related, for example, to event codes 4101, 800, etc...)</LI></UL></LI><LI>a .csv file, with the list of commands I would like to monitored, contained in a column named "<EM>PS_command</EM>".</LI></UL><P>From these premises, I have already constructed a search that leverages on <EM>inputlookup</EM> to search the strings from the <EM>PS-monitored.csv</EM> file to the index field <EM>Message</EM>, outputting the result in a table, as the following (adding also details from the index: <EM>_time</EM>, <EM>host</EM> and <EM>EventCode</EM>).</P><P>&nbsp;</P><LI-CODE lang="markup">index="wineventlog" | search ( [|inputlookup PS-monitored.csv | eval Message= "*" + PS_command + "*" | fields Message] ) | table _time host EventCode Message</LI-CODE><P>&nbsp;</P><P>&nbsp;This, despite not being the most elegant solution (with the addition of wildcard characters *), is currently working, however I would also like to include the original search field (PS_command column from <EM>PS-monitored.csv</EM>) to the final table.</P><P>I tried to experiment a bit with <EM>lookup</EM> command, and with <EM>join</EM> options, without success; does anyone have some suggestions?</P><P>Finally, I would like avoid using heavy commands, such as join, if at all possible.</P><P>Thanks in advance!</P> Tue, 14 May 2024 14:42:04 GMT https://community.splunk.com/t5/Splunk-Search/Problem-in-parsing-Powershell-commands/m-p/687498#M234470 valleyman 2024-05-14T14:42:04Z https://community.splunk.com/t5/Splunk-Search/Problem-in-parsing-Powershell-commands/m-p/687510#M234476 <P>If you include the wildcards in your lookup matching field and define the lookup to use WILDCARD matching, you may be able to lookup a field in the lookup when there is a wildcard match. Please share some anonymised events and contents of your lookup so we can see the sorts of things you are trying to match.</P> Tue, 14 May 2024 15:48:33 GMT https://community.splunk.com/t5/Splunk-Search/Problem-in-parsing-Powershell-commands/m-p/687510#M234476 ITWhisperer 2024-05-14T15:48:33Z https://community.splunk.com/t5/Splunk-Search/Problem-in-parsing-Powershell-commands/m-p/687574#M234509 <P>&nbsp;</P><LI-CODE lang="markup">index="wineventlog" | search ( [|inputlookup PS-monitored.csv | eval Message= "*" + PS_command + "*" | fields Message] )</LI-CODE><P>&nbsp;</P><P>This makes my teeth itch <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P><P>But seriously - doing initial search and then piping to another search is... well, simply not elegant. Splunk will optimize it out anyway and treat as it would a single search command so you could just write it as</P><P>&nbsp;</P><LI-CODE lang="markup">index="wineventlog" [|inputlookup PS-monitored.csv | eval Message= "*" + PS_command + "*" | fields Message] </LI-CODE><P>&nbsp;</P><P>But that's less important.</P><P>More important thing is that you're creating a search with a <EM>Message=*something</EM> conditions. They will be very, very inefficient since Splunk has to parse every single event to find your matching ones.</P><P>Assuming your commands are "whole commands" meaning that if your command is "cmd", you're looking for strings like "whatever cmd whatever" and not "whatevercmd whatever" (notice the space difference), you can limit your search with</P><P>&nbsp;</P><LI-CODE lang="markup">index="wineventlog" [ | inputlookup PS-monitored.csv | eval search=PS_command | fields search | format ] [ | inputlookup PS-monitored.csv | eval Message= "*" + PS_command + "*" | fields Message] </LI-CODE><P>&nbsp;</P><P>You could also try to combine those two subsearches into one.</P> Wed, 15 May 2024 07:22:32 GMT https://community.splunk.com/t5/Splunk-Search/Problem-in-parsing-Powershell-commands/m-p/687574#M234509 PickleRick 2024-05-15T07:22:32Z https://community.splunk.com/t5/Splunk-Search/Problem-in-parsing-Powershell-commands/m-p/687600#M234514 <P>Hello!<BR />Thanks for the extensive and very useful feedback!</P><P>I have had chance to look at my search again, and with the correction suggested, I am now able to highlight correctly the strings I am interested in the Message field of the index, as the following example</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="PS_command_search.jpg" style="width: 999px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/30821i75F2EBAC72FC287C/image-size/large?v=v2&amp;px=999" role="button" title="PS_command_search.jpg" alt="PS_command_search.jpg" /></span></P><P>I am perhaps missing one final step, that is to add the <EM>search</EM> field from the following sub-search in the final table, as I understood the format command should add to my query.</P><LI-CODE lang="markup">[ | inputlookup PS-monitored.csv | eval search=PS_command | fields search | format ]</LI-CODE><P>I tried to look for a newly created field "search", or any new created ones, but couldn't find anything...am I missing something obvious?</P><P>Thanks again!</P> Wed, 15 May 2024 10:26:27 GMT https://community.splunk.com/t5/Splunk-Search/Problem-in-parsing-Powershell-commands/m-p/687600#M234514 valleyman 2024-05-15T10:26:27Z https://community.splunk.com/t5/Splunk-Search/Problem-in-parsing-Powershell-commands/m-p/687614#M234516 <P>search, and query are special field names which are removed from the subsearch results i.e. if the subsearch returned</P><LI-CODE lang="markup">( ( search="value1" ) OR ( search="value2" ) )</LI-CODE><P>it would be added to the main search as</P><LI-CODE lang="markup">( ( "value1" ) OR ( "value2" ) )</LI-CODE> Wed, 15 May 2024 12:38:41 GMT https://community.splunk.com/t5/Splunk-Search/Problem-in-parsing-Powershell-commands/m-p/687614#M234516 ITWhisperer 2024-05-15T12:38:41Z https://community.splunk.com/t5/Splunk-Search/Problem-in-parsing-Powershell-commands/m-p/687646#M234523 <P>Hello,</P><P>I think I'm not that far, unfortunately I still cannot figure out how to extract field PS_command from the inputlookup, and passing it into the main search, and eventually how to map it to the Message from the index.</P><P>Could you please try to built a little more on the answers?</P><P>Thanks again!</P> Wed, 15 May 2024 17:01:06 GMT https://community.splunk.com/t5/Splunk-Search/Problem-in-parsing-Powershell-commands/m-p/687646#M234523 valleyman 2024-05-15T17:01:06Z https://community.splunk.com/t5/Splunk-Search/Problem-in-parsing-Powershell-commands/m-p/687649#M234525 <P>What is your full current search?</P> Wed, 15 May 2024 17:39:14 GMT https://community.splunk.com/t5/Splunk-Search/Problem-in-parsing-Powershell-commands/m-p/687649#M234525 ITWhisperer 2024-05-15T17:39:14Z