Splunk Search

Detection exclusion setting by using Regex?

Ange
Explorer

Hi, everyone.

Need some help for detection exclusion setting. 

Want to exclude detections of  the files which are applicable to the file path below.
c:\users\01234567\downloads\1234567890123xx.exe

For preventing alerts, I would like to use "13 digits number" and "xx.exe" as indicators.

For now, I found it can be excluded only by "xx.exe."
ex) file_path="*xx.exe"

Although, when I use regex like below, it doesn't work.
ex) file_path="*\d{13}xx.exe"

Could you please let me know how to set both "13 digits number" and "xx.exe" as indicators for excluding detections?

Labels (3)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @Ange,

if you are not sure about the number of digits (like in your example) you could use something like this:

<your_search>
| rex "(?<file>\d+xx\.exe)$"
| search NOT file=*
| ...

If instead you're sure about the number of digits (17), you could use something like this:

<your_search>
| rex "(?<file>\d{17}xx\.exe)$"
| search NOT file=*
| ...

Ciao.

Giuseppe

View solution in original post

Tags (1)

Ange
Explorer

@gcusello 

I checked with below and now it works correctly

 

| regex file_path="\d{13}xx.exe"

 

Thank you very much for your great support!

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Ange,

good for you, see next time!

Please accept one answer for the other people of Community

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

Ange
Explorer

@gcusello 

Thank you for your reply and support!

The number of digits are always 13, so I checked with the second one like below.

 

| rex "(?<file>\d{13}xx\.exe)$"
| search NOT file=*
| start count by file
| sort - count

 

Although it couldn't work accurately. 

In addition, just in case, I checked like this.

 

| rex "(?<file>\d\d\d\d\d\d\d\d\d\d\d\d\dxx\.exe)$"
| search NOT file=*
| start count by file
| sort - count

 

But the result was the same.

It seems "\d" is not working correctly on my computer.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Ange,

It's very strange because it's a standard regex operator.

Anyway, what do you mean saying: "It seems "\d" is not working correctly on my computer.", what's the not correct result you're receiving?

is it wrong every time or sometimes is it correct?

Ciao.

Giuseppe

gcusello
SplunkTrust
SplunkTrust

Hi @Ange,

if you are not sure about the number of digits (like in your example) you could use something like this:

<your_search>
| rex "(?<file>\d+xx\.exe)$"
| search NOT file=*
| ...

If instead you're sure about the number of digits (17), you could use something like this:

<your_search>
| rex "(?<file>\d{17}xx\.exe)$"
| search NOT file=*
| ...

Ciao.

Giuseppe

Tags (1)
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...