topic Re: regex to grab .exe files in Splunk Search

regex to grab .exe files

splunkingsplun1 — Mon, 28 Sep 2020 13:47:40 GMT

these are my logs and i need to grab complete .exe filenames:

1366986567.625 41 94.229.0.20 TCP_DENIED/403 1896 GET http://193.142.244.17/lxkj3824y896yursilh/5492.exe cindy@demo.com NONE/- - BLOCK_WBRS-DefaultGroup-Demo_Clients-NONE-NONE-NONE - -

1366984129.742 47 27.35.11.11 NONE/503 1890 GET http://topwinsystemscan.com/install/installpv.exe maximus@demo.com NONE/topwinsystemscan.com - OTHER-NONE-Demo_Clients-NONE-NONE-DefaultRouting - -

1366965031.191 8 203.172.197.2 TCP_DENIED/403 1866 GET http://81.174.66.128/.comete/10.exe tom@demo.com NONE/- - BLOCK_WBRS-DefaultGroup-Demo_Clients-NONE-NONE-NONE - -

this is my progress so far:

| rex field=_raw "http://[a-z0-9./]+(?<EXE>)[A-Za-z0-9].exe)"

Re: regex to grab .exe files

martin_mueller — Fri, 26 Apr 2013 15:49:17 GMT

Assuming you want the bit from after the slash (exclusive) to the .exe (inclusive), try something like this:

... | rex "/(?<filename>[^/]+?\.exe)"

This looks for a slash, then grabs as few non-slashes as possible until the first .exe mention. Note, this would fail if you have entries like foo/bar.exefile.something because it would recognize bar.exe - if you expect those cases then you can for example include the trailing space in the regular expression after the closing parenthesis.

Re: regex to grab .exe files

tgow — Fri, 26 Apr 2013 15:52:47 GMT

You are very close but try this one and see if it works for you:

... | rex field=_raw "\s+http://[a-zA-Z0-9./]+\/(?[^.]+).exe\s+"

the lookahead assertion might have been causing problems. I also grabbed everything up to the last slash then the field "exe" is populated with everything that is not a period. Just a different technique but hope this works out for you.