Getting Data In

Nullqueue Windows Paths Regex

gclaytontmwa
New Member

Trying to send all events with this contained to nullqueue:

Host Application = C:\WINDOWS\system32\WindowsPowerShell\v1.0\PowerShell.exe -NoLogo -Noninteractive -NoProfile -ExecutionPolicy Bypass & 'C:\WINDOWS\CCM\SystemTemp\02160779-88dd-4e84-96cc-7a1313cd97d9.ps1'

Here are my props & transforms entries:

[WinEventLog:Splunk-PowerShell]
TRANSFORMS-suppress-ps = suppress-powershell

[suppress-powershell]
REGEX=^Host\s?Application\s?=\s?C:\\WINDOWS\\system32\\WindowsPowerShell\\v1\.0\\PowerShell\.exe\s-NoLogo\s-Noninteractive\s-NoProfile\s-ExecutionPolicy\sBypass\s&\s'C:\\WINDOWS\\CCM\\SystemTemp\\[\d\w]{8}-[\d\w]{4}-[\d\w]{4}-[\d\w]{4}-[\d\w]{12}\.ps1'(\sFalse)?
DEST_KEY=queue
FORMAT=nullQueue

Matches when I use regex checkers like regexr. I've seen people suggest both double backslash and four backslashes for escaping, not sure which is appropriate for transforms. Using the four backslashes and the regex command in the search does work, but I need these events filtered out of indexing. I'd also like to use (?i) as a modifier for case insensitivity, but I need to get this part working first.

0 Karma

to4kawa
Ultra Champion
(?i)^Host\s?Application\s?=\s?C:.WINDOWS.system32.WindowsPowerShell.v1\.0.PowerShell\.exe\s-NoLogo\s-Noninteractive\s-NoProfile\s-ExecutionPolicy\sBypass\s&\s'C:.WINDOWS.CCM.SystemTemp.\w{8}-\w{4}-\w{4}-\w{4}-\w{12}\.ps1'(\sFalse)?

\  ⇨ .  If backslash behavior is a problem.

0 Karma
Get Updates on the Splunk Community!

Observability Highlights | November 2022 Newsletter

 November 2022Observability CloudEnd Of Support Extension for SignalFx Smart AgentSplunk is extending the End ...

Avoid Certificate Expiry Issues in Splunk Enterprise with Certificate Assist

This blog post is part 2 of 4 of a series on Splunk Assist. Click the links below to see the other ...

Using Machine Learning for Hunting Security Threats

REGISTER NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more ...