Archive

Escaping (*) in Fieldvalues while inputlookup

New Member

Hello everyone, I have the following problem.

My Inputlookup (a whiltelist) has the following data structure:

host,dest_host,Host_Application
host1, dest_Host1,Host_Application1
host2, dest_Host2,Host_*2

My inputlookup is structured as follows:

NOT 
    [| inputlookup something2exclude.csv 
    | table * ]

The normalized search looks good for the first row (host1):

(host=host1 AND dest_Host=dest_Host1 AND Host_Application=Host_Application1)

But, for the second row I get an error message:

...contains a wildcard in the middle of a word or string. This might cause inconsistent results if the characters that the wildcard represents include punctuation.

How can I exclude the asterisk as fieldvalue while inputlookup?

0 Karma

Explorer

Ok, how about this crazy idea.

|inputlookup exclude.csv
| eval Host_Application=replace(Host_Application,"\*","#") 
| outputlookup exclude2.csv

Then change the .csv from your original search to the new one.

0 Karma

New Member

@blacknight659

This doesn't work because the string will no longer match and the results won't be filtered out.

0 Karma

Explorer

If you don't follow the Eval from @twjack, I would extract the value and remove the "*".

NOT
[| inputlookup something.csv | fields host, dest_host, Host_Application]
| rex field=Host_Application "*(?<Host_ApplicationNew>[a-zA-Z]*)"
0 Karma

New Member

To make it easier to understand and avoid confusion.

Assuming I have these kind of log entries:

2017-10-10 10:53  <dest_host = dest_host2.domain.com> <Host_Application = C: \Windows\SYSNATIVE\WINDOW~1\v1.0\powershell. exe -command stop-process -process name DeployControlFullScanSCEP*>
-force>

and

2017-10-10 10:55  <dest_host = dest_host1.domain.com> <Host_Application = C: \Windows\SYSNATIVE\WINDOW~1\v1.0\powershell. exe>

and a lookupfile called exclude.csv with the following structure:

host, dest_host, Host_Application
host1, dest_host1.domain.com, C:\Windows\SYSNATIVE\WINDOW~1\v1.0\powershell.exe
host2, dest_host2.domain.com, C:\Windows\SYSNATIVE\WINDOW~1\v1.0\powershell.exe -command stop-process -processname DeployControlFullScanSCEP* -force

To test my whitelisting I narrow down the results with the following search to get only these events.

index=powershell Host_Application="C:\\Windows\\SYSNATIVE\\WINDOW~1\\v1.0\\powershell.exe -command stop-process -processname DeployControlFullScanSCEP* -force" OR Host_Application="C:\\Windows\\SYSNATIVE\\WINDOW~1\\v1.0\\powershell.exe"
| table host dest_host Host_Application

I get the correct table:

host, dest_host, Host_Application
host1, dest_host1.domain.com, C:\Windows\SYSNATIVE\WINDOW~1\v1.0\powershell.exe
host2, dest_host2.domain.com, C:\Windows\SYSNATIVE\WINDOW~1\v1.0\powershell.exe -command stop-process -processname DeployControlFullScanSCEP* -force

Now it's time to make this result disappear through a inputlookup and see if the whitelisting works.

index=powershell Host_Application="C:\\Windows\\SYSNATIVE\\WINDOW~1\\v1.0\\powershell.exe -command stop-process -processname DeployControlFullScanSCEP* -force" OR Host_Application="C:\\Windows\\SYSNATIVE\\WINDOW~1\\v1.0\\powershell.exe" NOT 
    [| inputlookup exclude.csv | table * ]

It works but Splunk complains about the asterisk:

...contains a wildcard in the middle
of a word or string. This might cause
inconsistent results if the characters
that the wildcard represents include
punctuation.

I just can't figure out a solution that would satisfy Splunk. I hope that I was able to express my challenge more clearly.

0 Karma

Motivator

@twjack
try this,

| inputlookup something.csv | eval Host_Application=replace(Host_Application,"\*","#") | rest of your search

New Member

Here is an example of the original field content that should not appear in the search results:

"C:\Windows\SYSNATIVE\WINDOW~1\v1.0\powershell.exe -command stop-process -processname DeployControlFullScanSCEP* -force".

All results with the following combination should no longer be present in the search results:

Host_Application="C:\Windows\SYSNATIVE\WINDOW~1\v1.0\powershell.exe -command stop-process -processname DeployControlFullScanSCEP* -force"

If I replace the asterisk with "#" then Splunk will not find the string and will not remove the results. In a search, I'd put it this way:

Host_Application!="C: \Windows\SYSNATIVE\WINDOW~1\v1.0\powershell.exe -command stop-process -process name DeployControlFullScanSCEP* -force".

or even

NOT Host_Application="C: \Windows\SYSNATIVE\WINDOW~1\v1.0\powershell.exe -command stop-process -processname DeployControlFullScanSCEP* -force".

Technically my variant listed below works, the results are filtered but Splunk complains about the asterisk.

NOT
    [| inputlookup something2exclude.csv 
    table *] 
0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!