Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Regex help to grab a process

dsmeerkat
Explorer
‎11-22-2022 09:08 PM

So I have some data like below in my _raw:

Name: BES Client, Running as: LocalSystem, Path: ""C:\Program Files (x86)\BigFix Enterprise\BES Client\BESClient.exe"", SHA1: 5bf0d29324081f2f830f7e66bba7aa5cb1c46047
Name: BESClientHelper, Running as: LocalSystem, Path: ""C:\Program Files (x86)\BigFix Enterprise\BES Client\BESClientHelper.exe"", SHA1: c989ae2278a9f8d6d5c5ca90fca6a57d19b168b8 
Name: svchost.exe, PID: 424, PPID: 432, ( Started up: Mon, 19 Sep 2022 03:41:57 -0700 ), Running as: NT AUTHORITY\LOCAL SERVICE, Path: C:\Windows\System32\svchost.exe, SHA1: 3196f45b269a614a3926efc032fc9d75017f27e8
Name: scsrvc.exe, PID: 1384, PPID: 432, ( Started up: Mon, 19 Sep 2022 03:42:34 -0700 ), Running as: NT AUTHORITY\SYSTEM, Path: C:\Program Files\McAfee\Solidcore\scsrvc.exe, SHA1: ef1cc70f3e052a6c480ac2fe8cdfe21a502669cc

I am trying to parse out just the "running" process name like "BES Client" or "BESClientHelper", however it has to have the text "Running" behind it so I know its a running process. Not the two "exe" files crossed out above.

Make sense? 🙂 Thanks!!

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎11-22-2022 09:20 PM

This will give you a process field with the name of the process if it has the "Running" text after.

| rex "Name: (?<process>[^,]*), Running"

 

0 Karma
Reply

dsmeerkat
Explorer
‎11-23-2022 07:44 AM

This doesn't quite work as it grabs the first "Name: " it sees in the raw and in my case spits out "Adobe Acrobat" and then stops....is there a way to keep it going naming all the "Name: xxxxxxxx, Running". Does that make sense?

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎11-23-2022 01:58 PM

@dsmeerkat 

yes, I assumed these were separate rows, but if this is one big _raw event, then use the max_match=0 param with rex that will make a multi value field with all the found matches of the regex.

Here is an example with your data as a single event

| makeresults
| eval _raw="Name: BES Client, Running as: LocalSystem, Path: \"\"C:\Program Files (x86)\BigFix Enterprise\BES Client\BESClient.exe\"\", SHA1: 5bf0d29324081f2f830f7e66bba7aa5cb1c46047
Name: BESClientHelper, Running as: LocalSystem, Path: \"\"C:\Program Files (x86)\BigFix Enterprise\BES Client\BESClientHelper.exe\"\", SHA1: c989ae2278a9f8d6d5c5ca90fca6a57d19b168b8 
Name: svchost.exe, PID: 424, PPID: 432, ( Started up: Mon, 19 Sep 2022 03:41:57 -0700 ), Running as: NT AUTHORITY\LOCAL SERVICE, Path: C:\Windows\System32\svchost.exe, SHA1: 3196f45b269a614a3926efc032fc9d75017f27e8
Name: scsrvc.exe, PID: 1384, PPID: 432, ( Started up: Mon, 19 Sep 2022 03:42:34 -0700 ), Running as: NT AUTHORITY\SYSTEM, Path: C:\Program Files\McAfee\Solidcore\scsrvc.exe, SHA1: ef1cc70f3e052a6c480ac2fe8cdfe21a502669cc"
| rex max_match=0 "Name: (?<process>[^,]*), Running"
0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎11-22-2022 09:27 PM

You could append a search command to look for only those events.

| search process=*

  

0 Karma
Reply
Get Updates on the Splunk Community!

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...