Splunk Enterprise

Lookup doesn't work with wildcard within strings

VK18
Explorer

We are currently using a regex pattern to match events against our raw data, and it works perfectly when we use the search app. The pattern we are using is:

C:\\Windows\\system32\\cmd\.exe*C:\\ProgramData\\Symantec\\Symantec Endpoint Protection\\14\.3\.8289\.5000\.105\\Data\\Definitions\\WebExtDefs\\20230830\.063\\webextbridge\.exe*

However, when we try to use this regex pattern in a lookup table, the events are not being matched. This seems to be because of the wildcard in the pattern. Despite defining the field name in the lookup definition (e.g., WILDCARD(process)), it still doesn't match the events.

I'm wondering if Splunk lookup supports wildcards within strings, or does it only support them at the beginning and end of strings?

Any insights or guidance on this matter would be greatly appreciated.

Regards
VK

Labels (1)
0 Karma

bowesmana
SplunkTrust
SplunkTrust

Splunk does not support regex patterns in lookups, ONLY wildcards, i.e. *, so your escaped . characters and \ characters should not be in the lookup.

Your pattern is a bit odd in that it has

C:\\Windows\\system32\\cmd\.exe*C:\\P...

where the * in that, if it is a regex, is saying you need to repeat the preceding 'e' character 0 or more times.

If your process field contains C:\Windows\system32\cmd.exe ...  then that should be the entry in the lookup and in the lookup entry you add * characters where you want to match any character in the data.

That * wildcarding is all that is supported in lookups.

0 Karma

VK18
Explorer

Hi @bowesmana ,

Thank you for clarifying that Splunk lookup does not support regex patterns.

I have just attempted to include the following event in the Splunk lookup, with a wildcard at the end, in order to match other events occurring after "webextbridge.exe." But, looks like it is not working

Original event :-
C:\Windows\system32\cmd.exe /d /c C:\ProgramData\Symantec\Symantec Endpoint Protection\14.3.XXXX.5000.105\Data\Definitions\WebExtDefs\20230830.063\webextbridge.exe chrome-extension://XXXXXXXXXXXXXXXXXXXXXXXXXXXXX/ --parent-window=0 < \\.\pipe\chrome.nativeMessaging.in.XXXXXXXXXXXa3 > \\.\pipe\chrome.nativeMessaging.out.10f754de9b9001a3

Splunk lookup table field value :-
"C:\Windows\system32\cmd.exe /d /c C:\ProgramData\Symantec\Symantec Endpoint Protection\14.3.8289.5000.105\Data\Definitions\WebExtDefs\20230830.063\webextbridge.exe*"

Regards
VK

0 Karma

bowesmana
SplunkTrust
SplunkTrust

That is really interesting and you are right - I tried these variants

C:\Windows\system32\cmd.exe /d /c C:\ProgramData\Symantec\Symantec Endpoint Protection\14.3.8289.5000.105\Data\Definitions\WebExtDefs\20230830.063\webextbridge.exe*
C:\Windows\system32\cmd.exe /d /c C:\ProgramData\Symantec\Symantec Endpoint Protection\14.3.8*
C:\Windows\system32\cmd.exe /d /c C:\ProgramData\Symantec\Symantec Endpoint Protection\*\webextbridge.exe*

and the top two do not work, the last does. If I make the second one end in 14.3.* then it DOES work.

Not sure what's going on there, 

0 Karma

inventsekar
SplunkTrust
SplunkTrust

Hi @VK18 .. please check this post:

https://community.splunk.com/t5/Splunk-Search/Can-we-use-wildcard-characters-in-a-lookup-table/m-p/9...

 

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma

VK18
Explorer

HI @inventsekar,
I attempted to include a wildcard entry in transforms.conf, but unfortunately, it did not yield any successful results. It appears that Splunk lookup only accommodates wildcards at the start and end of a string and does not function when the wildcard is placed within the string.

Exmaple below where it is working 

* webex.com
office*

Example below where it is not working
abc*def*ghi*

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud’s AI Assistant in Action Series: Analyzing and ...

This is the second post in our Splunk Observability Cloud’s AI Assistant in Action series, in which we look at ...

Elevate Your Organization with Splunk’s Next Platform Evolution

 Thursday, July 10, 2025  |  11AM PDT / 2PM EDT Whether you're managing complex deployments or looking to ...

Splunk Answers Content Calendar, June Edition

Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...