Splunk Search

Regex not accepted when searching

robettinger
Explorer

Hi guys,

I am trying to get a regex to just match if a process has been run from the C drive, root folder.

I tried the following regex

regex New_Process_Name!="C:\\+[^\\\]+$"

but I still get all processes. The logic is simple: match only if there is no further "\" after "C:\".

What am I doing wrong?

Tags (1)
0 Karma
1 Solution

harsmarvania57
SplunkTrust
SplunkTrust

Hi @robettinger,

Please try below query, in below query first lines generating dummy data. Replace _raw in rex command with actual field name in which your processname stores.

| makeresults
| eval _raw="C:\abc.exe"
| append [ | makeresults | eval _raw="C:\abc\xyz.exe"]
| append [ | makeresults | eval _raw="C:\abc\pqr\xyz.exe"]
| rex field=_raw "(?m)C:[\\\](?<process>.*?[\\\].*)$"
| where isnull(process)

I hope this helps.

Thanks,
Harshil

View solution in original post

0 Karma

wenthold
Communicator

I think you had the right idea, but I'm not a fan of escaping backslashes with rex/regex. Try this:

| regex New_Process_Name="^C:\x5c[^\x5c]+$"
0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

Hi @robettinger,

Please try below query, in below query first lines generating dummy data. Replace _raw in rex command with actual field name in which your processname stores.

| makeresults
| eval _raw="C:\abc.exe"
| append [ | makeresults | eval _raw="C:\abc\xyz.exe"]
| append [ | makeresults | eval _raw="C:\abc\pqr\xyz.exe"]
| rex field=_raw "(?m)C:[\\\](?<process>.*?[\\\].*)$"
| where isnull(process)

I hope this helps.

Thanks,
Harshil

View solution in original post

0 Karma

robettinger
Explorer

Hmmmm. Thank you! That is some improvement, but not quite yet what I had in mind .... Let me paste my entire query:

index=win_sec EventCode=4688 earliest=-1h@h latest=now New_Process_Name="C:\\Temp*" OR New_Process_Name="*AppData\\Local\\Temp*"  OR #########
| eval Account_Name=mvindex(Account_Name,0)
| eval Account_Domain=mvindex(Account_Domain,0)
| table _time, host, Account_Domain, Account_Name, app, New_Process_Name

The ##### part should be where New_Process_Name is something like "C:\xxx.xxx" but not "C:\xxx\xxx.xxx"

Your query makes sense but it's also renaming the New_Process_Name field which is not my intention ... Any ideas?

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

ok, can you please try this

| makeresults
| eval New_Process_Name="C:\abc.exe"
| append [ | makeresults | eval New_Process_Name="C:\abc\xyz.exe"]
| append [ | makeresults | eval New_Process_Name="C:\abc\pqr\xyz.exe"]
| append [ | makeresults | eval New_Process_Name="C:\Temp\xyz.exe"]
| append [ | makeresults | eval New_Process_Name="C:\abc\AppData\Local\Temp\xyz.exe"]
| rex field=New_Process_Name "(?m)(?<process>C:\\\(?!Temp|.*\\\AppData\\\Local\\\Temp\\\).*?\\\.*)$"
| where isnull(process)

So your query will be

    index=win_sec EventCode=4688 earliest=-1h@h latest=now 
     | rex field=New_Process_Name "(?m)(?<process>C:\\\(?!Temp|.*\\\AppData\\\Local\\\Temp\\\).*?\\\.*)$"
     | where isnull(process)
     | eval Account_Name=mvindex(Account_Name,0)
     | eval Account_Domain=mvindex(Account_Domain,0)
     | table _time, host, Account_Domain, Account_Name, app, New_Process_Name

EDIT: Updated the query

0 Karma

inventsekar
Super Champion

tested and its working fine..
Please check this -

| regex New_Process_Name="C:[//\\\][^\\\]"

alt text
alt text

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!