Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Regex match on "message" portion of event

montydo
Explorer
‎01-20-2020 03:04 AM

From the splunk windows_TA guide

"The following keys are equivalent to the fields which appear in the text of
the acquired events: Category CategoryString ComputerName EventCode
EventType Keywords LogName **Message** OpCode RecordNumber Sid SidType
SourceName TaskCategory Type User"

I'm trying to filter on the contents of the "Message" field:

An operation was attempted on a privileged object. Subject: Security ID:    ROOT\username Account Name: username Account Domain:    DOMAINNAME Logon ID:    0x200ABCD1 Object: Object Server:   Security Object Type:   - Object Name:  - Object Handle: 0x1234 Process Information: Process ID:    0x12A3 Process Name:    **C:\Program Files\Veeam\Backup and Replication\Console\veeam.backup.shell.exe** Requested Operation: Desired Access:   1234567 Privileges: SeTakeOwnershipPrivilege

I'm looking to match on the "C:\Program Files\Veeam\Backup and Replication\Console\veeam.backup.shell.exe" portion and discard the events through a blacklist stanza in the inputs.conf on the Universal Forwarder.

Something like:

blacklist3 = | key=regex [key=REGEXHERE?]

Is this possible? and can anyone help with the regex?

Tags (2)
0 Karma
Reply

damann
Communicator
‎01-20-2020 04:09 AM

Try this for your blacklisting.
Make sure you escape your backslashes and your dots as they would be interpreted as wildcards.

blacklist3 = Message="Process Name:\s+\*\*C:\\Program Files\\Veeam\\Backup and Replication\\Console\\veeam\.backup\.shell\.exe"
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-20-2020 04:07 AM

Hi @montydo,
let me understand: do you want to exclude from indexing all the events where there's the string "C:\Program Files\Veeam\Backup and Replication\Console\veeam.backup.shell.exe" ?
if this is your need you should use something like this:

[WinEventLog://Security]
disabled = 0
start_from = newest
blacklist1 = C:\\Program Files\\Veeam\\Backup and Replication\\Console\\veeam.backup\.shell\.exe
index = wineventlog

otherwise, you can filter these events on Indexers before indexing (see at https://docs.splunk.com/Documentation/Splunk/8.0.1/Forwarding/Routeandfilterdatad#Filter_event_data_... ) using the same regex.

Ciao.
Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...