Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Regex matching in a Splunk search query that involves a lookup table

frankeke
Observer
Monday

I have created a lookup table in Splunk that contains a column with various regex patterns intended to match file paths. My goal is to use this lookup table within a search query to identify events where the path field matches any of the regex patterns specified in the Regex_Path column.

lookupfile:

frankeke_0-1733190952823.png

 

Here is the challenge I'm facing:

  • When using the match() function in my search query, it only successfully matches if the Regex_Path pattern completely matches the path field in the event. However, I expected match() to perform partial matches based on the regex pattern, which does not seem to be the case.

  • Interestingly, if I manually replace the Regex_Path in the where match() clause with the actual regex pattern, it successfully performs the match as expected.

Here is an example of my search query:

index=teleport event="sftp" path!=""
| eval path_lower=lower(path)
| lookup Sensitive_File_Path.csv Regex_Path AS path_lower OUTPUT Regex_Path, Note
| where match(path_lower, Regex_Path)
| table path_lower, Regex_Path, Note

I would like to understand why the match() function isn't working as anticipated when using the lookup table and whether there is a better method to achieve the desired regex matching.

Any insights or suggestions on how to resolve this issue would be greatly appreciated.

Labels (3)
0 Karma
Reply

frankeke
Observer
Monday

thanks, the definition need global permission?

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
yesterday

Give it the permissions you want for its visibility

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
Monday

You cannot use regex matching in lookups. Lookup wildcards only support * and that is when you create a lookup definition and use the advanced options to set WILDCARD(Regex_Path). You are using a lookup file, not the definition.

So the lookup must match exactly or when you have a * e.g. /home/ubuntu/* for a wildcarded version

but then you would have to have another column with the real regex, note that c:\boot.ini is not valid regex, due to the \ which needs to be escaped.

 

0 Karma
Reply
Get Updates on the Splunk Community!

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...