Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Lookup doesn't work with wildcard within strings

VK18
Explorer
‎10-01-2023 05:03 PM

We are currently using a regex pattern to match events against our raw data, and it works perfectly when we use the search app. The pattern we are using is:

C:\\Windows\\system32\\cmd\.exe*C:\\ProgramData\\Symantec\\Symantec Endpoint Protection\\14\.3\.8289\.5000\.105\\Data\\Definitions\\WebExtDefs\\20230830\.063\\webextbridge\.exe*

However, when we try to use this regex pattern in a lookup table, the events are not being matched. This seems to be because of the wildcard in the pattern. Despite defining the field name in the lookup definition (e.g., WILDCARD(process)), it still doesn't match the events.

I'm wondering if Splunk lookup supports wildcards within strings, or does it only support them at the beginning and end of strings?

Any insights or guidance on this matter would be greatly appreciated.

Regards
VK

Labels (1)
Labels
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎10-03-2023 07:27 PM

Splunk does not support regex patterns in lookups, ONLY wildcards, i.e. *, so your escaped . characters and \ characters should not be in the lookup.

Your pattern is a bit odd in that it has

C:\\Windows\\system32\\cmd\.exe*C:\\P...

where the * in that, if it is a regex, is saying you need to repeat the preceding 'e' character 0 or more times.

If your process field contains C:\Windows\system32\cmd.exe ...  then that should be the entry in the lookup and in the lookup entry you add * characters where you want to match any character in the data.

That * wildcarding is all that is supported in lookups.

0 Karma
Reply

VK18
Explorer
‎10-04-2023 07:17 PM

Hi @bowesmana ,

Thank you for clarifying that Splunk lookup does not support regex patterns.

I have just attempted to include the following event in the Splunk lookup, with a wildcard at the end, in order to match other events occurring after "webextbridge.exe." But, looks like it is not working

Original event :-
C:\Windows\system32\cmd.exe /d /c C:\ProgramData\Symantec\Symantec Endpoint Protection\14.3.XXXX.5000.105\Data\Definitions\WebExtDefs\20230830.063\webextbridge.exe chrome-extension://XXXXXXXXXXXXXXXXXXXXXXXXXXXXX/ --parent-window=0 < \\.\pipe\chrome.nativeMessaging.in.XXXXXXXXXXXa3 > \\.\pipe\chrome.nativeMessaging.out.10f754de9b9001a3

Splunk lookup table field value :-
"C:\Windows\system32\cmd.exe /d /c C:\ProgramData\Symantec\Symantec Endpoint Protection\14.3.8289.5000.105\Data\Definitions\WebExtDefs\20230830.063\webextbridge.exe*"

Regards
VK

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎10-04-2023 11:07 PM

That is really interesting and you are right - I tried these variants

C:\Windows\system32\cmd.exe /d /c C:\ProgramData\Symantec\Symantec Endpoint Protection\14.3.8289.5000.105\Data\Definitions\WebExtDefs\20230830.063\webextbridge.exe*
C:\Windows\system32\cmd.exe /d /c C:\ProgramData\Symantec\Symantec Endpoint Protection\14.3.8*
C:\Windows\system32\cmd.exe /d /c C:\ProgramData\Symantec\Symantec Endpoint Protection\*\webextbridge.exe*

and the top two do not work, the last does. If I make the second one end in 14.3.* then it DOES work.

Not sure what's going on there, 

0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎10-01-2023 06:21 PM

Hi @VK18 .. please check this post:

https://community.splunk.com/t5/Splunk-Search/Can-we-use-wildcard-characters-in-a-lookup-table/m-p/9...

 

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma
Reply

VK18
Explorer
‎10-03-2023 05:00 PM

HI @inventsekar,
I attempted to include a wildcard entry in transforms.conf, but unfortunately, it did not yield any successful results. It appears that Splunk lookup only accommodates wildcards at the start and end of a string and does not function when the wildcard is placed within the string.

Exmaple below where it is working 

* webex.com
office*

Example below where it is not working
abc*def*ghi*

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability Cloud’s AI Assistant in Action Series: Analyzing and ...

This is the second post in our Splunk Observability Cloud’s AI Assistant in Action series, in which we look at ...

Elevate Your Organization with Splunk’s Next Platform Evolution

 Thursday, July 10, 2025  |  11AM PDT / 2PM EDT Whether you're managing complex deployments or looking to ...

Splunk Answers Content Calendar, June Edition

Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...
Top