Hi all,
I have been trying to use a where command but I'm stuck because of the double quotes that I can't escape.
My command is this
| where match(content_body,"\"https://.*".recipient.".*\"")
I have the feeling that this isn't the right way to do it, I got no results but I'm almost sure there are. When I change it to
| where match(content_body,"<https://.*".recipient.".*>")
I get the other results that I want. So I think it is only the escaping that doesn't work accordingly. Can someone confirm if I am right or not?
Thank you
Sasquatchatmars
content_body needs to be rebuilt as a complete string
| eval content_body=mvjoin(content_body,"")
| rex field=content_body mode=sed "s/=[\n\r]+//g"
Hi @ITWhisperer,
Thank you for your reply. Yes it is exactly the same, that is why I don't understand why it doesn't work
Sasquatchatmars
Can you share the rest of your query and a line or two from your logs (anonymised of course)?
This is my search query.
index=[index_name]
| rename content_body{} AS content_body, receiver_email{} AS receiver_email
| where match(content_body,"\"https://.*".recipient.".*\" ")
| dedup sender_email
| table recipient sender_email content_body username
FIY recipient is firstname.lastname@domainname
And the part of the log is
"https://f22c834a4f224bcbb563c127f7a8477f.svc.dynamics.com/t/r/zyqi3=
CfkIaT_ZSLfiMGTiZjG5y-6Cc5jKCmGO0YH-Nc#[recipient]:e8990=3D23"
/!\ Be aware, this link is a phishing link /!\
If recipient is firstname.lastname@domainname, is this the same as receiver_email? Can you use
| where match(content_body,"\"https://.*".receiver_email.".*\" ")
Yes it is the same, splunk has made two field one with receiver_email and the other is recipient but they are the same.
If I replace my command with yours it doesn't work either.
The example you gave doesn't have a firstname.lastname@domainname in it. I assume this is because you anonymised it. But you have also anonymised username which you say works. There doesn't appear to be anything wrong with your match, so the conclusion is that there are no matches in your data.
I made indeed an error because in the log part it isn't supposed to be "username" but "recipient" I will made the change.
Maybe there is no hit but in that case I don't know what I should use as search to verify if the field "recipient" is in the url. Do you maybe know it?
content_body needs to be rebuilt as a complete string
| eval content_body=mvjoin(content_body,"")
| rex field=content_body mode=sed "s/=[\n\r]+//g"
Thank you very much for your help, this is what i needed!
The escaping looks right. Does the recipient field have the value you are searching for, as it would be found in the content_body field of the same event?