Solved: Escaping quotes in where command

Sasquatchatmars · ‎10-15-2020

Hi all,

I have been trying to use a where command but I'm stuck because of the double quotes that I can't escape.

My command is this

| where match(content_body,"\"https://.*".recipient.".*\"")

I have the feeling that this isn't the right way to do it, I got no results but I'm almost sure there are. When I change it to

| where match(content_body,"<https://.*".recipient.".*>")

I get the other results that I want. So I think it is only the escaping that doesn't work accordingly. Can someone confirm if I am right or not?

Thank you

Sasquatchatmars

ITWhisperer · ‎10-16-2020

content_body needs to be rebuilt as a complete string

| eval content_body=mvjoin(content_body,"")
| rex field=content_body mode=sed "s/=[\n\r]+//g"

View solution in original post

Sasquatchatmars · ‎10-15-2020

Hi @ITWhisperer,

Thank you for your reply. Yes it is exactly the same, that is why I don't understand why it doesn't work

Sasquatchatmars

ITWhisperer · ‎10-15-2020

Can you share the rest of your query and a line or two from your logs (anonymised of course)?

Sasquatchatmars · ‎10-15-2020

This is my search query.

index=[index_name]
| rename content_body{} AS content_body, receiver_email{} AS receiver_email
| where match(content_body,"\"https://.*".recipient.".*\" ")
| dedup sender_email
| table recipient sender_email content_body username

FIY recipient is firstname.lastname@domainname

And the part of the log is

"https://f22c834a4f224bcbb563c127f7a8477f.svc.dynamics.com/t/r/zyqi3=
CfkIaT_ZSLfiMGTiZjG5y-6Cc5jKCmGO0YH-Nc#[recipient]:e8990=3D23"

/!\ Be aware, this link is a phishing link /!\

ITWhisperer · ‎10-15-2020

If recipient is firstname.lastname@domainname, is this the same as receiver_email? Can you use

| where match(content_body,"\"https://.*".receiver_email.".*\" ")

Sasquatchatmars · ‎10-15-2020

Yes it is the same, splunk has made two field one with receiver_email and the other is recipient but they are the same.

If I replace my command with yours it doesn't work either.

ITWhisperer · ‎10-15-2020

The example you gave doesn't have a firstname.lastname@domainname in it. I assume this is because you anonymised it. But you have also anonymised username which you say works. There doesn't appear to be anything wrong with your match, so the conclusion is that there are no matches in your data.

Sasquatchatmars · ‎10-15-2020

I made indeed an error because in the log part it isn't supposed to be "username" but "recipient" I will made the change.

Maybe there is no hit but in that case I don't know what I should use as search to verify if the field "recipient" is in the url. Do you maybe know it?

ITWhisperer · ‎10-16-2020

content_body needs to be rebuilt as a complete string

| eval content_body=mvjoin(content_body,"")
| rex field=content_body mode=sed "s/=[\n\r]+//g"

Sasquatchatmars · ‎10-16-2020

Thank you very much for your help, this is what i needed!

ITWhisperer · ‎10-15-2020

The escaping looks right. Does the recipient field have the value you are searching for, as it would be found in the content_body field of the same event?

Escaping quotes in where command

other

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM