How to replace \\ with \?

adespino · ‎06-13-2023

Hi,

I am trying to use a lookup to whitelist/exclude some values from search results such as process_name.

But whenever I run a search with just the lookup to verify the possible exclusion, every instance of backlash shows as double backlash.

Like this:

Search to verify whitelist/exclusion:

| inputlookup whitelist
| fields whitelisted_process_name
| rename whitelisted_process_name as process_name
| format

Search results: (process_name= C:\\...\\...\\...\\...\\...

What is actually on the lookup: process_name= C:\...\...\...\...\...

I have tried replacing the double backlash with a single one using the following command and several other variations. But does not seen to be working.

```| eval process_name=replace(process_name,"\\\\(.)","\")```
```| eval process_name=replace(process_name,"\\\\(.)","\1")```
```| eval process_name=replace (process_name,"(\\\\)","\")```
``` | replace "*\\\\*" WITH "\" IN process_name ```

Any help will be much appreciated.

Thanks.

ITWhisperer · ‎06-20-2023

Does this help?

| makeresults
| eval process_name="C:\\\\...\\\\...\\\\...\\\\...\\\\..."
| eval original_process_name=process_name
| rex mode=sed field=process_name "s/\\\\\\\\/\\\\/g"

adespino · ‎06-20-2023

Hi @yeahnah

Basically, I have a SPL that detects several files modification within short time as part as possible ransomware infection.

Unfortunately, I cannot share the whole search since due to security reasons.

What I can tell you is that the search uses a couple of data models to first provide information such as process name and object name, then identifies several files or folder modification.

We have identified this search produces several False Positive from regular business activities so we were trying to whitelist those using a lookup that contains some relevant fields to later be exclude/whitelist.

If I run this specific portion of the search by itself it looks appropriately without adding the double back slash

| inputlookup whitelist
| fields whitelisted_process_name
| rename whitelisted_process_name as process_name
| format
| rex mode=sed field=search "s/\\\\\\\/\\\/g"

Result: (process_name="C:/Program Files/Computer/)

But whenever I implement this portion of the search to the rest of the search to verify actual real results it adds again the double back lash.

Result seeing in job inspector: (process_name="C://Program Files//Computer//)

Search estructure example

1. Datamodel=File_or_Folder_Modification calling important files.

2.Some field manipulation

3.Another data model to verify process id or other file values modification

4.Lookup related commands to attempt whitelisting.

5. Stats

The issue in here is that if someone goes into the lookup and enters a value to be whitelist with a single backlash it will not be match because the actual lookup is looking for double backlash

Thank you very much for the help.

yeahnah · ‎06-13-2023

Hi @adespino

I'm not exactly sure what you are trying to do, but it's the format command that is adding the double backslashes to the search field. Generally you'd use this command if you required a subsearch in your base search to filter the result set (include or exclude). If that was the use case, the escaped backslashes are needed and make sense.

https://docs.splunk.com/Documentation/Splunk/9.0.5/SearchReference/Format

Maybe providing the whole query will help clarify what you want to achieve.

As a final note, if you still want to make the double backslashes single again, you could use a sed command like in this example...

| makeresults
| eval whitelisted_process_name="c:\some\folder\here"
| fields  whitelisted_process_name 
| rename whitelisted_process_name as process_name
| format
| rex mode=sed field=search "s/\\\\\\\/\\\/g"

Hope that helps

How to replace \\ with \?

whitelist

Windows

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

AppDynamics is now part of Splunk Ideas

Advanced Splunk Data Management Strategies