Hello everyone, I have the following problem.
My Inputlookup (a whiltelist) has the following data structure:
host,dest_host,Host_Application
host1, dest_Host1,Host_Application1
host2, dest_Host2,Host_*2
My inputlookup is structured as follows:
NOT
[| inputlookup something2exclude.csv
| table * ]
The normalized search looks good for the first row (host1):
(host=host1 AND dest_Host=dest_Host1 AND Host_Application=Host_Application1)
But, for the second row I get an error message:
...contains a wildcard in the middle of a word or string. This might cause inconsistent results if the characters that the wildcard represents include punctuation.
How can I exclude the asterisk as fieldvalue while inputlookup?
Ok, how about this crazy idea.
|inputlookup exclude.csv
| eval Host_Application=replace(Host_Application,"\*","#")
| outputlookup exclude2.csv
Then change the .csv from your original search to the new one.
@blacknight659
This doesn't work because the string will no longer match and the results won't be filtered out.
If you don't follow the Eval from @twjack, I would extract the value and remove the "*".
NOT
[| inputlookup something.csv | fields host, dest_host, Host_Application]
| rex field=Host_Application "*(?<Host_ApplicationNew>[a-zA-Z]*)"
To make it easier to understand and avoid confusion.
Assuming I have these kind of log entries:
2017-10-10 10:53 <dest_host = dest_host2.domain.com> <Host_Application = C: \Windows\SYSNATIVE\WINDOW~1\v1.0\powershell. exe -command stop-process -process name DeployControlFullScanSCEP*>
-force>
and
2017-10-10 10:55 <dest_host = dest_host1.domain.com> <Host_Application = C: \Windows\SYSNATIVE\WINDOW~1\v1.0\powershell. exe>
and a lookupfile called exclude.csv with the following structure:
host, dest_host, Host_Application
host1, dest_host1.domain.com, C:\Windows\SYSNATIVE\WINDOW~1\v1.0\powershell.exe
host2, dest_host2.domain.com, C:\Windows\SYSNATIVE\WINDOW~1\v1.0\powershell.exe -command stop-process -processname DeployControlFullScanSCEP* -force
To test my whitelisting I narrow down the results with the following search to get only these events.
index=powershell Host_Application="C:\\Windows\\SYSNATIVE\\WINDOW~1\\v1.0\\powershell.exe -command stop-process -processname DeployControlFullScanSCEP* -force" OR Host_Application="C:\\Windows\\SYSNATIVE\\WINDOW~1\\v1.0\\powershell.exe"
| table host dest_host Host_Application
I get the correct table:
host, dest_host, Host_Application
host1, dest_host1.domain.com, C:\Windows\SYSNATIVE\WINDOW~1\v1.0\powershell.exe
host2, dest_host2.domain.com, C:\Windows\SYSNATIVE\WINDOW~1\v1.0\powershell.exe -command stop-process -processname DeployControlFullScanSCEP* -force
Now it's time to make this result disappear through a inputlookup and see if the whitelisting works.
index=powershell Host_Application="C:\\Windows\\SYSNATIVE\\WINDOW~1\\v1.0\\powershell.exe -command stop-process -processname DeployControlFullScanSCEP* -force" OR Host_Application="C:\\Windows\\SYSNATIVE\\WINDOW~1\\v1.0\\powershell.exe" NOT
[| inputlookup exclude.csv | table * ]
It works but Splunk complains about the asterisk:
...contains a wildcard in the middle
of a word or string. This might cause
inconsistent results if the characters
that the wildcard represents include
punctuation.
I just can't figure out a solution that would satisfy Splunk. I hope that I was able to express my challenge more clearly.
@twjack
try this,
| inputlookup something.csv | eval Host_Application=replace(Host_Application,"\*","#") | rest of your search
Here is an example of the original field content that should not appear in the search results:
"C:\Windows\SYSNATIVE\WINDOW~1\v1.0\powershell.exe -command stop-process -processname DeployControlFullScanSCEP* -force".
All results with the following combination should no longer be present in the search results:
Host_Application="C:\Windows\SYSNATIVE\WINDOW~1\v1.0\powershell.exe -command stop-process -processname DeployControlFullScanSCEP* -force"
If I replace the asterisk with "#" then Splunk will not find the string and will not remove the results. In a search, I'd put it this way:
Host_Application!="C: \Windows\SYSNATIVE\WINDOW~1\v1.0\powershell.exe -command stop-process -process name DeployControlFullScanSCEP* -force".
or even
NOT Host_Application="C: \Windows\SYSNATIVE\WINDOW~1\v1.0\powershell.exe -command stop-process -processname DeployControlFullScanSCEP* -force".
Technically my variant listed below works, the results are filtered but Splunk complains about the asterisk.
NOT
[| inputlookup something2exclude.csv
table *]