Hi All,
I am trying to create a search that will parse our endpoint logs for any executable that have been run from the Desktop or Downloads folders and any sub folders. Most searches I try return a large number of false positives (product names or folders have desktop or downloads in the name, but they aren't specifically in that folder. So to combat this I'm trying to rex the specific folder. Using the regex I have below on regex101 it works exactly how I expect. However in splunk I get, first a missing parenthesis error, and if I arbitrarily add another close parenthesis I get "look back is not a fixed length" error. Thoughts?
sourcetype=endpointsource AND event_name=process_ran
| rex field=CommandLine "(?<=\\Desktop|Downloads\\)(?<EXE_RAN>.*\.exe)"
| table _time ComputerName TargetFileName EXE_RAN user
Example of it working on regex101: https://regex101.com/r/24uxEB/1
Thanks!
Here is one way:
| rex field=CommandLine ".*(Desktop|Downloads)\\\(?<EXE_RAN>.*\.exe)"
Try this:
| rex field=CommandLine "(?<=\\\Desktop|Downloads\\\)(?<EXE_RAN>.*\.exe)"
Also try run anywhere search
| makeresults
| eval data="C:\users\user1\Downloads\blah.exe,C:\Users\user234\Downloads\sqldeveloper-17.4.0.355.2349-x64\sqldeveloper\sqldeveloper\bin\sqldeveloper64W.exe,C:\Users\user9823\AppData\Local\iManage\Installer\Updates\iManage Work Desktop for Windows x86.exe,C:\Users\johnsmith\Desktop\dataloader-44.0.0.exe"
| makemv data delim=","
| mvexpand data
| table data
| rex field=data "(?<=\\\Desktop|Downloads\\\)(?<EXE_RAN>.*\.exe)"
Here is one way:
| rex field=CommandLine ".*(Desktop|Downloads)\\\(?<EXE_RAN>.*\.exe)"
This worked perfectly, that extra escape character really got me. Thank you!
This gets me the following error still:
Error in 'rex' command: Encountered the following error while compiling the regex '.(Desktop|Downloads)(?..exe)': Regex: unmatched closing parenthesis.
Sorry, forgot Splunk needed another escape character. Fixed above!