Splunk Enterprise
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Splunk Platform
- :
- Splunk Enterprise
- :
- Lookup doesn't work with wildcard within strings
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Lookup doesn't work with wildcard within strings
VK18
Explorer
10-01-2023
05:03 PM
We are currently using a regex pattern to match events against our raw data, and it works perfectly when we use the search app. The pattern we are using is:
C:\\Windows\\system32\\cmd\.exe*C:\\ProgramData\\Symantec\\Symantec Endpoint Protection\\14\.3\.8289\.5000\.105\\Data\\Definitions\\WebExtDefs\\20230830\.063\\webextbridge\.exe*However, when we try to use this regex pattern in a lookup table, the events are not being matched. This seems to be because of the wildcard in the pattern. Despite defining the field name in the lookup definition (e.g., WILDCARD(process)), it still doesn't match the events.
I'm wondering if Splunk lookup supports wildcards within strings, or does it only support them at the beginning and end of strings?
Any insights or guidance on this matter would be greatly appreciated.
Regards
VK
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
bowesmana
SplunkTrust
10-03-2023
07:27 PM
Splunk does not support regex patterns in lookups, ONLY wildcards, i.e. *, so your escaped . characters and \ characters should not be in the lookup.
Your pattern is a bit odd in that it has
C:\\Windows\\system32\\cmd\.exe*C:\\P...where the * in that, if it is a regex, is saying you need to repeat the preceding 'e' character 0 or more times.
If your process field contains C:\Windows\system32\cmd.exe ... then that should be the entry in the lookup and in the lookup entry you add * characters where you want to match any character in the data.
That * wildcarding is all that is supported in lookups.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
VK18
Explorer
10-04-2023
07:17 PM
Hi @bowesmana ,
Thank you for clarifying that Splunk lookup does not support regex patterns.
I have just attempted to include the following event in the Splunk lookup, with a wildcard at the end, in order to match other events occurring after "webextbridge.exe." But, looks like it is not working
Original event :-
C:\Windows\system32\cmd.exe /d /c C:\ProgramData\Symantec\Symantec Endpoint Protection\14.3.XXXX.5000.105\Data\Definitions\WebExtDefs\20230830.063\webextbridge.exe chrome-extension://XXXXXXXXXXXXXXXXXXXXXXXXXXXXX/ --parent-window=0 < \\.\pipe\chrome.nativeMessaging.in.XXXXXXXXXXXa3 > \\.\pipe\chrome.nativeMessaging.out.10f754de9b9001a3
Splunk lookup table field value :-
"C:\Windows\system32\cmd.exe /d /c C:\ProgramData\Symantec\Symantec Endpoint Protection\14.3.8289.5000.105\Data\Definitions\WebExtDefs\20230830.063\webextbridge.exe*"
Regards
VK
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
bowesmana
SplunkTrust
10-04-2023
11:07 PM
That is really interesting and you are right - I tried these variants
C:\Windows\system32\cmd.exe /d /c C:\ProgramData\Symantec\Symantec Endpoint Protection\14.3.8289.5000.105\Data\Definitions\WebExtDefs\20230830.063\webextbridge.exe*
C:\Windows\system32\cmd.exe /d /c C:\ProgramData\Symantec\Symantec Endpoint Protection\14.3.8*
C:\Windows\system32\cmd.exe /d /c C:\ProgramData\Symantec\Symantec Endpoint Protection\*\webextbridge.exe*and the top two do not work, the last does. If I make the second one end in 14.3.* then it DOES work.
Not sure what's going on there,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
inventsekar
SplunkTrust
10-01-2023
06:21 PM
Hi @VK18 .. please check this post:
thanks and best regards,
Sekar
PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
Sekar
PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
VK18
Explorer
10-03-2023
05:00 PM
HI @inventsekar,
I attempted to include a wildcard entry in transforms.conf, but unfortunately, it did not yield any successful results. It appears that Splunk lookup only accommodates wildcards at the start and end of a string and does not function when the wildcard is placed within the string.
Exmaple below where it is working
* webex.com
office*
Example below where it is not working
abc*def*ghi*
Get Updates on the Splunk Community!
Dashboards: Hiding charts while search is being executed and other uses for tokens
There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...
Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...
This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...
Brains, Bytes, and Boston: Learn from the Best at .conf25
When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...
