Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to extract and filter fields with rex and regex?

jip31
Motivator
‎07-25-2023 07:59 AM

Hi

I need help to extract and to filter fields with rex and regex

1) i need to use a rex field on path wich end by ".exe"

Example : in path C:\ProgramFiles\Toto\alert.exe in need to catch "alert.exe"

2)i need to filter events which have a path in AppData\Roaming and which end by .exe

I have done this but it doesnt works

 

| regex NewProcess=(?i)\\\\AppData\\\\Roaming\\\\[^\\\\]+\\.exe$"

 

Thanks

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎07-28-2023 03:46 AM

Hi @jip31,

yes, you're correct: rex extracts fields, regex searches for a string with rules.

If you want to have a statistic for the NewProcessName, you have to extract them and use this new field in the stats command.

You have only to understand (this is unoe of the requirements) if you want the full path or a part of it, then you can extract this fields using a regex and use it.

About the question of the search: yes you can search using the asterisks in the end and the beginning but it is less performant than a regex.

I hope to have helped you, if you nedd help to extract the newProcessname usig a regex, tell me. but if you need the full path you already have it (it's the starting point) if you don't want he full path, please give me the rules.

Ciao.

Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎07-25-2023 08:03 AM

Hi @jip31 ,

about the first question: the value to use is already in a field or in raw log?

if in a field you can use:

| rex field=your_field "(?<exe>\w+\.exe)"

if in the raw log, please share a sample of your logs so I can adapt the above regex.

About the second question, please share a sample of your logs.

Ciao.

Giuseppe

Reply
Solved! Jump to solution

jip31
Motivator
‎07-26-2023 02:38 AM

It works fine for question 1 thanks

For question 2, i need to extract from the field NewProcessName the entire path each time there is AppData\Roaming in the path and whenever the path finish by .exe

Example : NewProcessName="....\....\AppData\Roaming\......\toto.exe"

In this case, i need to catch the entire path

 

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎07-26-2023 07:08 AM

Hi @jip31 ,

I need a sample of the raw log to be sure of the regex.

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎07-26-2023 09:25 AM

Hi

Its not a raw log but a simple field which is in reality a path

When there is AppData\Roaming in this field and when this field end path by .exe, i need to catch it in a new path

For example if the field has the syntax below, i need to catch it

"C:\Users\....\AppData\Roaming\....\...\test.exe"

Sorry i cant share a true example due to sensible data

 

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎07-26-2023 11:01 AM

Hi @jip31 ,

you could mask data replacing your words with non sense letters maintaining the same number anf types of chars.

Anyway, please try this:

| regex "C:\\Users\\.*\\AppData\\Roaming\\.*\\.*\\\w+.exe"

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎07-27-2023 11:08 PM

Hi

First, if i am not mistaken the diffetence between rex and regex is this one?

" rex will let you extract fields from your data. regex is quite a different thing - it's a search command that uses regular expression syntax to filter search results. It will not extract any fields."

Concernibg my need, i have a field called "NewProcessName" which contains different process path

In this field i need to find the path which contains AppData\\Roaming

So i have done this :

NewProcessName="*\\AppData\\Roaming\\*"

In my stats command, i do a values of this field : | stats values(NewProcessName) as summary

Now from the field summary i need to extract the end of this path which end by ".exe"

So i think i need a rex command to do this

Sorry for my mistake

Could you help please ?

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎07-28-2023 03:46 AM

Hi @jip31,

yes, you're correct: rex extracts fields, regex searches for a string with rules.

If you want to have a statistic for the NewProcessName, you have to extract them and use this new field in the stats command.

You have only to understand (this is unoe of the requirements) if you want the full path or a part of it, then you can extract this fields using a regex and use it.

About the question of the search: yes you can search using the asterisks in the end and the beginning but it is less performant than a regex.

I hope to have helped you, if you nedd help to extract the newProcessname usig a regex, tell me. but if you need the full path you already have it (it's the starting point) if you don't want he full path, please give me the rules.

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎07-28-2023 10:05 PM

Hi @jip31,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...