Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Regex matching in a Splunk search query that involves a lookup table

frankeke
Observer
Monday

I have created a lookup table in Splunk that contains a column with various regex patterns intended to match file paths. My goal is to use this lookup table within a search query to identify events where the path field matches any of the regex patterns specified in the Regex_Path column.

lookupfile:

frankeke_0-1733190952823.png

 

Here is the challenge I'm facing:

  • When using the match() function in my search query, it only successfully matches if the Regex_Path pattern completely matches the path field in the event. However, I expected match() to perform partial matches based on the regex pattern, which does not seem to be the case.

  • Interestingly, if I manually replace the Regex_Path in the where match() clause with the actual regex pattern, it successfully performs the match as expected.

Here is an example of my search query:

index=teleport event="sftp" path!=""
| eval path_lower=lower(path)
| lookup Sensitive_File_Path.csv Regex_Path AS path_lower OUTPUT Regex_Path, Note
| where match(path_lower, Regex_Path)
| table path_lower, Regex_Path, Note

I would like to understand why the match() function isn't working as anticipated when using the lookup table and whether there is a better method to achieve the desired regex matching.

Any insights or suggestions on how to resolve this issue would be greatly appreciated.

Labels (3)
0 Karma
Reply

frankeke
Observer
Monday

thanks, the definition need global permission?

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
yesterday

Give it the permissions you want for its visibility

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
Monday

You cannot use regex matching in lookups. Lookup wildcards only support * and that is when you create a lookup definition and use the advanced options to set WILDCARD(Regex_Path). You are using a lookup file, not the definition.

So the lookup must match exactly or when you have a * e.g. /home/ubuntu/* for a wildcarded version

but then you would have to have another column with the real regex, note that c:\boot.ini is not valid regex, due to the \ which needs to be escaped.

 

0 Karma
Reply
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...