Getting Data In

How to replace \\ with \?

adespino
Explorer

Hi, 

I am trying to use a lookup to whitelist/exclude some values from search results such as process_name.

But whenever I run a search with just the lookup to verify the possible exclusion, every instance of backlash shows as double backlash. 

Like this: 

Search to verify whitelist/exclusion:

| inputlookup whitelist
| fields  whitelisted_process_name 
| rename whitelisted_process_name as process_name
| format

Search results: (process_name= C:\\...\\...\\...\\...\\...

What is actually on the lookup: process_name= C:\...\...\...\...\...

I have tried replacing the double backlash with a single one using  the following command and several other variations. But does not seen to be working. 

```| eval process_name=replace(process_name,"\\\\(.)","\")```
```| eval process_name=replace(process_name,"\\\\(.)","\1")```
```| eval process_name=replace (process_name,"(\\\\)","\")```
``` | replace "*\\\\*" WITH "\" IN process_name  ```

Any help will be much appreciated. 

 

Thanks. 




Labels (2)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Does this help?

| makeresults
| eval process_name="C:\\\\...\\\\...\\\\...\\\\...\\\\..."
| eval original_process_name=process_name
| rex mode=sed field=process_name "s/\\\\\\\\/\\\\/g"
0 Karma

adespino
Explorer

Hi @yeahnah 

Basically, I have a SPL that detects several files modification within short time as part as possible ransomware infection. 

Unfortunately, I cannot share the whole search since due to security reasons.

What I can tell you is that the search uses a couple of data models to first provide information such as process name and object name, then identifies several files or folder modification. 

We have identified this search produces several False Positive from regular business activities so we were trying to whitelist those using a lookup that contains some relevant fields to later be exclude/whitelist. 

If I run this specific portion of the search by itself it looks appropriately without adding the double back slash 

| inputlookup whitelist
| fields  whitelisted_process_name 
| rename whitelisted_process_name as process_name
| format
| rex mode=sed field=search "s/\\\\\\\/\\\/g"

Result: (process_name="C:/Program Files/Computer/)

But whenever I implement this portion of the search to the rest of the search to verify actual real results it adds again the double back lash. 

Result seeing in job inspector: (process_name="C://Program Files//Computer//)

Search estructure example

1. Datamodel=File_or_Folder_Modification calling important files.

2.Some field manipulation

3.Another data model to verify process id or other file values modification

4.Lookup related commands to attempt whitelisting.

5. Stats


The issue in here is that if someone goes into the lookup and enters a value to be whitelist with a single backlash it will not be match because the actual lookup is looking for double backlash 


 

Thank you very much for the help.

 

 

 

 






0 Karma

yeahnah
Motivator

Hi @adespino 

I'm not exactly sure what you are trying to do, but it's the format command that is adding the double backslashes to the search field.  Generally you'd use this command if you required a subsearch in your base search to filter the result set (include or exclude).  If that was the use case, the escaped backslashes are needed and make sense.

https://docs.splunk.com/Documentation/Splunk/9.0.5/SearchReference/Format

Maybe providing the whole query will help clarify what you want to achieve.

As a final note, if you still want to make the double backslashes single again, you could use a sed command like in this example...

 

| makeresults
| eval whitelisted_process_name="c:\some\folder\here"
| fields  whitelisted_process_name 
| rename whitelisted_process_name as process_name
| format
| rex mode=sed field=search "s/\\\\\\\/\\\/g"

 

 Hope that helps

0 Karma
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

March Community Office Hours Security Series Uncovered!

Hello Splunk Community! In March, Splunk Community Office Hours spotlighted our fabulous Splunk Threat ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars in April. This post ...