Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to search for DR string ../../../../ ??

ShinR
Explorer
‎08-13-2021 01:05 AM

Hi everyone,

I just wanted to do a quick search in URLs requested in Splunk but cannot get the directory traversal string  (../../../../ o similar) to stick - it gets stripped from the query.  I've tried using quotes and it seems escaping shouldn't be necessary.  

Any suggestions?

Thanks

 

Labels (1)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎08-13-2021 05:30 AM

Please share the troublesome query.

---
If this reply helps you, Karma would be appreciated.
Reply

ShinR
Explorer
‎08-13-2021 07:55 AM

Sorry, here's a simple example:

index=* url="*../../../../*"

or 

index=* "../../../../"

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎08-13-2021 09:36 AM

I believe the problem is attempting to search for a string of minor blocker characters.  You may have better luck using a separate where command.

 

index=foo ```Always use explicit index names```
| where like(url, "../../../../%") ```Like is used instead of match to avoid escaping every character```

 

---
If this reply helps you, Karma would be appreciated.
Reply

ShinR
Explorer
‎08-13-2021 09:48 AM

Thanks again for the suggestion.  Unfortunately everything between the * and the % gets stripped when I execute the search.  

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎08-13-2021 04:35 PM

The asterisk was a typo.  Please try again without it.  

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

ShinR
Explorer
‎08-16-2021 01:37 AM

Same result unfortunately... does the same thing not happen on your splunk instance?

 

 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎08-16-2021 05:06 AM

It does not happen on my instance (8.1.2)

richgalloway_0-1629115577281.png

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

NatSec
Explorer
‎12-16-2021 05:00 AM

I have the same issue on Splunk v8.2.1

Any solution please?

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...