is there a format that needs to be adhered to when using a blacklist with regex?
I am trying to format "New Process Name:" with a regex that will extract events from a specific data source.
I have tested the regex with regex101 and it identifies the events that I want to filter and is basically
blacklist3 = New\sProcess\sName\:\s+C\:\\Program\sFiles\s\(x86\)\\......
should that work or do I need to format it something more like
blacklist3 = New Process Name = C\:\\Program\sFiles\s\(x86\)\\......
my current blacklist is resulting in
ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe"" splunk-winevtlog - Processing: 'blacklist3' [legacy], range error found in 'regex'......
According to this document,
https://docs.splunk.com/Documentation/Splunk/9.0.3/Data/Whitelistorblacklistspecificincomingdata
blacklist = <your_custom_regex>
should work.
Thanks
Hi @dolj,
when you have "\" backslash in your blacklist, you have to escape it using three backslashes:
blacklist3 = New\sProcess\sName:\s+C:\\\Program\sFiles\s\(x86\)\\\......
you can try it in Splunk search to find the correct regex to filter your filenames, something like this:
| makeresults | eval _raw= "C:\Program Files (x86)\Google" | regex "C:\\\Program Files \(x86\)\\\Google"
Ciao.
Giuseppe
Escaping with regex may make it hard to read, but luckily there is a smart way around it.
You can start and stop in regex with \Q and \E on what you like to get literal.
| makeresults
| eval _raw= "C:\Program Files (x86)\Google"
| regex "\QC:\Program Files (x86)\Google\E"
This makes regex much more readable.
https://www.regular-expressions.info/characters.html