Splunk Search

Eval, Replace and Regular Expression

Path Finder

Hi Guys! i've got the next situation

Trying to replace some characters in this events:

\device\harddiskvolume4\windows\system32\dns.exe
\device\harddiskvolume4\windows\system32\lsass.exe
\device\harddiskvolume2\program files (x86)\fortinet\fsae\collectoragent.exe

With this sentence:

EventCode=5156 Application_Name = "*System32*" OR Application_Name = "*program files*"
| eval mAppName=replace(Application_Name, ".+\\", "") 

but when i try to do it Splunk tells me "Error in 'eval' command: Regex: \ at end of pattern"

Why is that? and how can i solve it?
Thanks a lot for answers

1 Solution

SplunkTrust
SplunkTrust

You should use sed to do a replace..

Show me what you currently have and what you want it to look like

It will be along the lines of this

... | rex mode=sed "s/<REGEX FROM ORIGINAL>/<REPLACE WITH>/g"

View solution in original post

0 Karma

Esteemed Legend

Keep adding backslashes \\ on top of the ones that you have until the error goes away. Yes, I really am serious; just like cowbells.

Builder

Holy shit this actually worked, lol. Nice one!

0 Karma

SplunkTrust
SplunkTrust

You should use sed to do a replace..

Show me what you currently have and what you want it to look like

It will be along the lines of this

... | rex mode=sed "s/<REGEX FROM ORIGINAL>/<REPLACE WITH>/g"

View solution in original post

0 Karma