Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Regex help to grab a process

dsmeerkat
Explorer
‎11-22-2022 09:08 PM

So I have some data like below in my _raw:

Name: BES Client, Running as: LocalSystem, Path: ""C:\Program Files (x86)\BigFix Enterprise\BES Client\BESClient.exe"", SHA1: 5bf0d29324081f2f830f7e66bba7aa5cb1c46047
Name: BESClientHelper, Running as: LocalSystem, Path: ""C:\Program Files (x86)\BigFix Enterprise\BES Client\BESClientHelper.exe"", SHA1: c989ae2278a9f8d6d5c5ca90fca6a57d19b168b8 
Name: svchost.exe, PID: 424, PPID: 432, ( Started up: Mon, 19 Sep 2022 03:41:57 -0700 ), Running as: NT AUTHORITY\LOCAL SERVICE, Path: C:\Windows\System32\svchost.exe, SHA1: 3196f45b269a614a3926efc032fc9d75017f27e8
Name: scsrvc.exe, PID: 1384, PPID: 432, ( Started up: Mon, 19 Sep 2022 03:42:34 -0700 ), Running as: NT AUTHORITY\SYSTEM, Path: C:\Program Files\McAfee\Solidcore\scsrvc.exe, SHA1: ef1cc70f3e052a6c480ac2fe8cdfe21a502669cc

I am trying to parse out just the "running" process name like "BES Client" or "BESClientHelper", however it has to have the text "Running" behind it so I know its a running process. Not the two "exe" files crossed out above.

Make sense? 🙂 Thanks!!

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎11-22-2022 09:20 PM

This will give you a process field with the name of the process if it has the "Running" text after.

| rex "Name: (?<process>[^,]*), Running"

 

0 Karma
Reply

dsmeerkat
Explorer
‎11-23-2022 07:44 AM

This doesn't quite work as it grabs the first "Name: " it sees in the raw and in my case spits out "Adobe Acrobat" and then stops....is there a way to keep it going naming all the "Name: xxxxxxxx, Running". Does that make sense?

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎11-23-2022 01:58 PM

@dsmeerkat 

yes, I assumed these were separate rows, but if this is one big _raw event, then use the max_match=0 param with rex that will make a multi value field with all the found matches of the regex.

Here is an example with your data as a single event

| makeresults
| eval _raw="Name: BES Client, Running as: LocalSystem, Path: \"\"C:\Program Files (x86)\BigFix Enterprise\BES Client\BESClient.exe\"\", SHA1: 5bf0d29324081f2f830f7e66bba7aa5cb1c46047
Name: BESClientHelper, Running as: LocalSystem, Path: \"\"C:\Program Files (x86)\BigFix Enterprise\BES Client\BESClientHelper.exe\"\", SHA1: c989ae2278a9f8d6d5c5ca90fca6a57d19b168b8 
Name: svchost.exe, PID: 424, PPID: 432, ( Started up: Mon, 19 Sep 2022 03:41:57 -0700 ), Running as: NT AUTHORITY\LOCAL SERVICE, Path: C:\Windows\System32\svchost.exe, SHA1: 3196f45b269a614a3926efc032fc9d75017f27e8
Name: scsrvc.exe, PID: 1384, PPID: 432, ( Started up: Mon, 19 Sep 2022 03:42:34 -0700 ), Running as: NT AUTHORITY\SYSTEM, Path: C:\Program Files\McAfee\Solidcore\scsrvc.exe, SHA1: ef1cc70f3e052a6c480ac2fe8cdfe21a502669cc"
| rex max_match=0 "Name: (?<process>[^,]*), Running"
0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎11-22-2022 09:27 PM

You could append a search command to look for only those events.

| search process=*

  

0 Karma
Reply
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...