Splunk Enterprise Security

Can anyone tell me why I am getting the following search error: "Error in 'rex' command: Invalid argument: 'NOT'"

Harish217
New Member

Can anyone let me know why I am getting this error?

| rex field=url "(?\w+\.\w+)\/"
    [| inputlookup IOCs-URLs.csv
| stats values(UrL) as url
    | format]
| stats count as NumOTimes by src_ip,url
0 Karma

splunkerer
Path Finder

These are mostly because of search order. let me give an example.

If you run this one you will get exact same error message "Error in 'rex' command: Invalid argument: 'NOT'"

 

index=foo OR 
index=bar | spath output=message path=message | rex field=message "dst=(?<remote_ip>\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})"
[| makeresults | eval remote_ip=""
| eval remote_ip=split(remote_ip,",") 
| mvexpand remote_ip
| table remote_ip] 

| stats dc(remote_ip) as total

 


However, if you run the following, no error at all, hope this helps. so problem is not on rex, it is highly likely due to the search logic. 

 

index=foo OR 
index=bar | spath output=message path=message | rex field=message "dst=(?<remote_ip>\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})"
|  search [| makeresults | eval remote_ip=""
| eval remote_ip=split(remote_ip,",") 
| mvexpand remote_ip
| table remote_ip] 

| stats dc(remote_ip) as total

 



0 Karma

richgalloway
SplunkTrust
SplunkTrust

The \/ sequence in rex commands requires additional escaping. Try `\\/'.

BTW, if you put your SPL inside backticks (`) or highlight it and click the "101010" button special characters will be preserved and we'll be able to see the full query.

---
If this reply helps you, Karma would be appreciated.
0 Karma

Harish217
New Member

didn't work, still same error - Error in 'rex' command: Invalid argument: 'NOT'

here is my current SPL

index=xxxx*
| rex field=url "(?<domain>\w+\.\w+)\\/"
    [| inputlookup IOCs-URLs.csv
    | stats values(UrL) as url
    | format]
| stats count as NumOTimes by src_ip,url
0 Karma

richgalloway
SplunkTrust
SplunkTrust

The general rule of thumb for escape characters in rex is to add more until the command works.
My answer had three backslashes, but your comment only has two. Perhaps that's just a copy error.

I totally missed another problem that could be causing the error. The inputlookup subsearch looks like it's mis-placed. Recall that subsearches execute first and the results are substituted into the main search. So, after your subsearch the main search will look something like index=xxxx* | rex field=url "(?<domain>\w+\.\w+)\\\/" fourtion.com/qyBf2DfGd | stats count as NumOfTime by src_ip,url. See how Splunk would think you have an invalid rex command?

Before we spend too much time debugging the subsearch, please explain what you are trying to do with it. There may be another way to achieve your goal.

---
If this reply helps you, Karma would be appreciated.
0 Karma

Harish217
New Member

I have tried it with three backslashes as well. No luck!

Here is my scenario, I have had a list of IOCs that I would like to search with our datasets (indexes) to find if any Users tried to reach to those IOCs. as the list of IOCs kept increasing we have created a lookup table with a list of '80+ urls' (without using 'http://') example: fourtion.com/qyBf2DfGd

As I have created the lookup table, now would like to see if any user has accessed these IOCs listed in inputlookup table in Enterprise Security using SLP. let me know if you more information.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Try this

# This will find any events containing a string from the IOCs-URLs.csv lookup table
index=xxxx* [ | inputlookup IOCs-URLs.csv | return 100 $url ] 
| stats count as NumOfTime by src_ip, url
---
If this reply helps you, Karma would be appreciated.
0 Karma

Vijeta
Influencer

Any sample data for url field?

0 Karma

Harish217
New Member

here is the sample data from the table IOCs-URLs.csv -
- 'I would suggest not to go to the click or go to this IOC'.

fourtion.com/qyBf2DfGd
0 Karma

Vijeta
Influencer

The error is not with rex command , it is because you are usinfg [|inputlookup immediately after rex. Try like this

index=xxxx*
 | rex field=url "(?<domain>\w+\.\w+)\\/" | fields domain url
     [| inputlookup IOCs-URLs.csv
     | stats values(UrL) as url
     | format]
 | stats count as NumOTimes by src_ip,url
0 Karma

Harish217
New Member

This SPL didn't give me any error but somehow giving me all events matched but not displaying any results on the Statistics.

Below is the status from Splunk search : 

1,550,000 of 1,550,000 events matched
but - Statistics (0)

0 Karma
Get Updates on the Splunk Community!

2024 Splunk Career Impact Survey | Earn a $20 gift card for participating!

Hear ye, hear ye! The time has come again for Splunk's annual Career Impact Survey!  We need your help by ...

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...