topic Regular Expression to Extract Values From a Field in Splunk Search

Regular Expression to Extract Values From a Field

Bytes — Tue, 29 Sep 2020 08:15:34 GMT

Hello Ninjas,

Am having some trouble trying to figure out how to use regex to perform a simple action.

So I have a field called Caller_Process_Name which has the value of C:\Windows\System32\explorer.exe

I want to take the "explorer.exe" part out of this field and place it in a new field (called process_name_short). So I see regex as the solution here.

I have been trying the following but I do not believe I am using regex correctly in Splunk and the documentation isn't very helpful.

| rex field=Caller_Process_Name (?<process_name_short>/(\w+)\.(\w+)$/)

I'm sure my regex is solid as it pulls out only the explorer.exe part of the string in the online regex testers.

Would anyone be willing to show me what I'm not doing right here please.

Thanks 🙂

Re: Regular Expression to Extract Values From a Field

richgalloway — Mon, 04 Jan 2016 16:18:04 GMT

Your regular expression doesn't match the example value. Working on regex101.com, I came up with this rex command.

... | rex field=Caller_Process_Name "\\(?<process_name_short>\w+\.\w+)$" | ...

Re: Regular Expression to Extract Values From a Field

javiergn — Mon, 04 Jan 2016 16:20:50 GMT

Try this:

| rex field=Caller_Process_Name "\/(?<process_name_short>[^\/]+$)"

Re: Regular Expression to Extract Values From a Field

javiergn — Mon, 04 Jan 2016 16:21:56 GMT

And the equivalent for Windows paths:

| rex field=Caller_Process_Name "\\\(?<process_name_short>[^\\\]+$)"

Re: Regular Expression to Extract Values From a Field

jmallorquin — Mon, 04 Jan 2016 16:23:44 GMT

Hi you can use this.

 | rex field=Caller_Process_Name "(?<process_name_short>[^\\]+$)"

Hope i help you

Re: Regular Expression to Extract Values From a Field

ArthurGautesen — Mon, 04 Jan 2016 16:27:06 GMT

Two questions off the top.
Is it "C:/Windows/System32/explorer.exe" or "C:\Windows\System32\explorer.exe" ?

And are you enclosing your regular expression in quotes?

Re: Regular Expression to Extract Values From a Field

Bytes — Mon, 04 Jan 2016 16:32:45 GMT

Apologies. There should be back slashes instead of forward slashes in the UNC path. Had to use forward slashes on the question as it wouldn't allow back slashes.

Re: Regular Expression to Extract Values From a Field

javiergn — Mon, 04 Jan 2016 16:35:44 GMT

See my answer below. I did answer both cases

Re: Regular Expression to Extract Values From a Field

Bytes — Tue, 29 Sep 2020 08:15:37 GMT

It should be back slashes as it is a normal Windows path. I added forward slashes as it wouldn't allow back slashes (as your answer shows 🙂 )

I wasn't using quotes but even if I do, it still fails to extract the value and place it in a new field named process_name_short.

Re: Regular Expression to Extract Values From a Field

richgalloway — Mon, 04 Jan 2016 16:40:25 GMT

Backslashes are allowed if you put the string within backtics. I've edited your question to use the right slashes.

Re: Regular Expression to Extract Values From a Field

Bytes — Mon, 04 Jan 2016 16:41:35 GMT

Nope neither worked. Got the error returned:

Error in 'rex' command: Encountered the following error while compiling the regex '\

Re: Regular Expression to Extract Values From a Field

javiergn — Mon, 04 Jan 2016 16:44:01 GMT

That's because I made a typo sorry:

 | rex field=Caller_Process_Name "\\\(?<process_name_short>[^\\\]+$)"

Re: Regular Expression to Extract Values From a Field

jmallorquin — Mon, 04 Jan 2016 16:44:23 GMT

this regex doesn't capture nothing... use mine 🙂

Re: Regular Expression to Extract Values From a Field

Bytes — Mon, 04 Jan 2016 16:44:39 GMT

Thank you! 🙂

Re: Regular Expression to Extract Values From a Field

richgalloway — Mon, 04 Jan 2016 16:46:46 GMT

Quotes are required. The extraction failed because the regex is incorrect.

Re: Regular Expression to Extract Values From a Field

javiergn — Mon, 04 Jan 2016 16:52:59 GMT

Re: Regular Expression to Extract Values From a Field

dcharboneau_spl — Mon, 04 Jan 2016 17:19:38 GMT

You should only have two (not three) backslashes at the beginning of the REX and in side the Brackets after the ^.

Re: Regular Expression to Extract Values From a Field

javiergn — Mon, 04 Jan 2016 17:38:39 GMT

It throws an error with two, I had to use three. See the picture above.
This works:

| stats count
| eval Caller_Process_Name = "C:\Windows\System32\explorer.exe"
| rex field=Caller_Process_Name "\\\(?<process_name_short>[^\\\]+$)"

This doesn't:

| stats count
| eval Caller_Process_Name = "C:\Windows\System32\explorer.exe"
| rex field=Caller_Process_Name "\\(?<process_name_short>[^\\]+$)"

Anyway, let's focus on the actual problem and not mine's 🙂

Re: Regular Expression to Extract Values From a Field

Bytes — Tue, 29 Sep 2020 08:15:47 GMT

Needed three slashes as the second was cancelling out the end square bracket.

But IT WORKED!

Here's the full command that worked:

| rex field=Caller_Process_Name "(?<process_name_short>[^\\\]+$)"

This pulls out the program name part of the path and places it in a new field called process_name_short which I was able to run a stats command on to count up the different programs throwing audit fails.

Thanks everyone!