Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to search to exclude part of DIR from windows log?

codedtech
Path Finder
‎07-26-2023 09:39 AM

Hello All,  I'm trying to run query that will allow me to exclude events with part of a file path built in a windows event.  The event looks like this
alert: %PlaceStuffIsStored%\ANYTHING\STUFF\And\Things\Blah\Blah\Blah\Blah.EXE was allowed to run but would have been prevented from running if the AppLocker policy were enforced. I was able to Rex out the file path to now I have a new field called path which is Dir

Dir=%PlaceStuffIsStored%\ANYTHING\STUFF\And\Things\Blah\Blah\Blah\Blah.EXE

I've tried the basics but no luck 
Search!="*ANYTHING\STUFF\*" |mysearch  Not (Dir="*ANYTHING\STUFF\*")  
Thanks

Labels (1)
Labels
0 Karma
Reply

cklunck
Path Finder
‎07-26-2023 08:39 PM

You may need to escape your backslashes. Does the following work?

<original_search>
| rex <extract Dir field here>
| search Dir!="*ANYTHING\\STUFF\\*"

 

Whether you use != or NOT as your exclusion operator is up to you - but understand that they may return different results. Check the article Difference between != and NOT for more details.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...