I'm attempting to verify a blacklist parameter for a wineventlog stanza by using regex and rex in search and the escape character backslash (\) is being treated incorrectly by both regex and rex.
For instance, I know that splunk search uses PCRE for regex.
If the message field contents are as follows
A network share object was checked to see whether client can be granted desired access.
Security ID: S-1-5-21-001
Account Name: testuser
Account Domain: CONTOSO
Logon ID: 0xA04CAB48
Object Type: File
Source Address: 192.168.0.1
Source Port: 62387
Share Name: \\*\uemprofiles
Share Path: \??\D:\UEM\uemprofiles
Relative Target Name: testuser\favorites\thisisawebpage.url
Access Request Information:
Access Mask: 0x2
Accesses: WriteData (or AddFile)
Access Check Results:
WriteData (or AddFile): Granted by D:(A;;0x1301bf;;;WD)
Given the documentation on backslash escape chars (hxxps://docs.splunk.com/Documentation/Splunk/7.3.1/Search/SPLandregularexpressions), I believe all backslashes in a path ( \ ) must be stated within a regex as four backslashes ( \\\\ ).
Therefore, I expect to get match the above event with | regex Message="Share Path:\s*\\\\\?\?\\\\D" | rex "Share Path:\s*\\\\\?\?\\\\(?P<path>.*)" where path is then equal to D:\UEM\uemprofiles, and the rex works.
But given that regex how do i know for sure that this acts the same way as rex, and thusly how do I know that blacklist in inputs.conf will act this same way/
In fact, I have a feeling that blacklist does not require the additional backslash escape conditions. Is this correct?
Therefore, to blacklist these events (only when share path contains \??\D:) within an inputs.conf WinEventLog stanza, the following syntax should be used for a successful regex match: