Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Regex not accepted when searching

robettinger
Explorer
‎12-05-2017 02:46 AM

Hi guys,

I am trying to get a regex to just match if a process has been run from the C drive, root folder.

I tried the following regex

regex New_Process_Name!="C:\\+[^\\\]+$"

but I still get all processes. The logic is simple: match only if there is no further "\" after "C:\".

What am I doing wrong?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

harsmarvania57
Ultra Champion
‎12-05-2017 04:28 AM

Hi @robettinger,

Please try below query, in below query first lines generating dummy data. Replace _raw in rex command with actual field name in which your processname stores.

| makeresults
| eval _raw="C:\abc.exe"
| append [ | makeresults | eval _raw="C:\abc\xyz.exe"]
| append [ | makeresults | eval _raw="C:\abc\pqr\xyz.exe"]
| rex field=_raw "(?m)C:[\\\](?<process>.*?[\\\].*)$"
| where isnull(process)

I hope this helps.

Thanks,
Harshil

View solution in original post

0 Karma
Reply
Solved! Jump to solution

wenthold
Communicator
‎12-08-2017 07:10 AM

I think you had the right idea, but I'm not a fan of escaping backslashes with rex/regex. Try this:

| regex New_Process_Name="^C:\x5c[^\x5c]+$"
0 Karma
Reply
Solved! Jump to solution
Solution

harsmarvania57
Ultra Champion
‎12-05-2017 04:28 AM

Hi @robettinger,

Please try below query, in below query first lines generating dummy data. Replace _raw in rex command with actual field name in which your processname stores.

| makeresults
| eval _raw="C:\abc.exe"
| append [ | makeresults | eval _raw="C:\abc\xyz.exe"]
| append [ | makeresults | eval _raw="C:\abc\pqr\xyz.exe"]
| rex field=_raw "(?m)C:[\\\](?<process>.*?[\\\].*)$"
| where isnull(process)

I hope this helps.

Thanks,
Harshil

0 Karma
Reply
Solved! Jump to solution

robettinger
Explorer
‎12-05-2017 04:42 AM

Hmmmm. Thank you! That is some improvement, but not quite yet what I had in mind .... Let me paste my entire query:

index=win_sec EventCode=4688 earliest=-1h@h latest=now New_Process_Name="C:\\Temp*" OR New_Process_Name="*AppData\\Local\\Temp*"  OR #########
| eval Account_Name=mvindex(Account_Name,0)
| eval Account_Domain=mvindex(Account_Domain,0)
| table _time, host, Account_Domain, Account_Name, app, New_Process_Name

The ##### part should be where New_Process_Name is something like "C:\xxx.xxx" but not "C:\xxx\xxx.xxx"

Your query makes sense but it's also renaming the New_Process_Name field which is not my intention ... Any ideas?

0 Karma
Reply
Solved! Jump to solution

harsmarvania57
Ultra Champion
‎12-05-2017 05:20 AM

ok, can you please try this

| makeresults
| eval New_Process_Name="C:\abc.exe"
| append [ | makeresults | eval New_Process_Name="C:\abc\xyz.exe"]
| append [ | makeresults | eval New_Process_Name="C:\abc\pqr\xyz.exe"]
| append [ | makeresults | eval New_Process_Name="C:\Temp\xyz.exe"]
| append [ | makeresults | eval New_Process_Name="C:\abc\AppData\Local\Temp\xyz.exe"]
| rex field=New_Process_Name "(?m)(?<process>C:\\\(?!Temp|.*\\\AppData\\\Local\\\Temp\\\).*?\\\.*)$"
| where isnull(process)

So your query will be

    index=win_sec EventCode=4688 earliest=-1h@h latest=now 
     | rex field=New_Process_Name "(?m)(?<process>C:\\\(?!Temp|.*\\\AppData\\\Local\\\Temp\\\).*?\\\.*)$"
     | where isnull(process)
     | eval Account_Name=mvindex(Account_Name,0)
     | eval Account_Domain=mvindex(Account_Domain,0)
     | table _time, host, Account_Domain, Account_Name, app, New_Process_Name

EDIT: Updated the query

0 Karma
Reply
Solved! Jump to solution

inventsekar
SplunkTrust
SplunkTrust
‎12-05-2017 03:55 AM

tested and its working fine..
Please check this - 

| regex New_Process_Name="C:[//\\\][^\\\]"

alt text
alt text

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
Preview file
87 KB
Preview file
48 KB
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0

Did you know that for Splunk Enterprise 9.4, Python 3.9 is the default interpreter? This shift is not just a ...

See your relevant APM services, dashboards, and alerts in one place with the updated ...

As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...

Cultivate Your Career Growth with Fresh Splunk Training

Growth doesn’t just happen—it’s nurtured. Like tending a garden, developing your Splunk skills takes the right ...