Splunk Search

Regex to pull a filename out of a process field path

jared_anderson
Path Finder

I want a regular expression to pull a file name out of a path that is the process field. The path could be any directory, and the filename could be named anything.

Sample logs.

Oct 25 14:47:20 server.domain.local Oct 25 14:47:19 172.23.0.24 system event: text="Modification (Create Key) of registry '\registry\machine\system\currentcontrolset\services\napagent\qecs\' by 'company\user' was allowed." type="Policy Enforcement" subtype="Report write (registry rule)" hostname="domain\computer" username="domain\user" date="10/25/2017 7:46:25 PM" ip_address="172.23.1.13" process="c:\windows\system32\mmc.exe" policy="Windows Medium Enforcement" rule_name="FIM_OSSEC" process_key="00000000-0000-15e8-01d3-490915c2f584" server_version="7.2.1.1903" process_trust="10" process_threat="0"

Oct 25 13:31:5""0 server2.domain.local Oct 25 13:31:43 172.23.0.24 1 2017-10-25T18:31:43Z server2.domain.local - - - - event: text="'c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\administrative tools' was created by 'domain\user'." type="Policy Enforcement" subtype="Report write (custom rule)" hostname="domain\user" username="domain\user" date="10/25/2017 6:30:38 PM" ip_address="172.16.1.12" process="c:\windows\system32\mmc.exe" file_path="c:\users\dccon\appdata\roaming\microsoft\windows\start menu\programs\administrative tools" file_name="administrative tools" policy="Windows High Enforcement" rule_name="FIM_Directory" process_key="00000000-0000-0848-01d3-4d9cda329d68" server_version="7.2.1.1903" process_trust="10" process_threat="0"

Tags (2)
0 Karma
1 Solution

gokadroid
Motivator

Try this to get filename and directory in two separate fields.

your query to return events 
| rex "\sprocess=\"(?<directory>(\S+\\))(?<filename>[^\"]+)\""
| table directory, filename

See above regex here

If you need all in one field called file then try this

your query to return events
| rex "\sprocess=\"(?<file>[^\"]+)\""

See above regex here

View solution in original post

0 Karma

gokadroid
Motivator

Try this to get filename and directory in two separate fields.

your query to return events 
| rex "\sprocess=\"(?<directory>(\S+\\))(?<filename>[^\"]+)\""
| table directory, filename

See above regex here

If you need all in one field called file then try this

your query to return events
| rex "\sprocess=\"(?<file>[^\"]+)\""

See above regex here

0 Karma

jared_anderson
Path Finder

Ah, so i didn't account for file paths with spaces like below.

Oct 26 07:51:38 server.domain.local Oct 26 07:51:37 172.23.0.24 system event: text="'c:\users\user\appdata\locallow\microsoft\cryptneturlcache\metadata\7396c420a8e1bc1da97f1af0d10bad21' was created by 'domain\user'." type="Policy Enforcement" subtype="Report write (custom rule)" hostname="domain\user" username="domain\user" date="10/26/2017 12:50:01 PM" ip_address="172.12.0.12" process="c:\program files\microsoft sql server\mssql10_50.mssqlserver\mssql\binn\databasemail.exe" file_path="c:\users\user\appdata\locallow\microsoft\cryptneturlcache\metadata\7396c420a8e1bc1da97f1af0d10bad21" file_name="7396c420a8e1bc1da97f1af0d10bad21" policy="Windows High Enforcement" rule_name="FIM_Directory" process_key="00000000-0000-1bc4-01d3-4e58efc90f89" server_version="7.2.1.1903" process_trust="10" process_threat="0"

0 Karma

jared_anderson
Path Finder

process=".+\(?[^"]+)" (policy|file_path)=

0 Karma

Damien_Dallimor
Ultra Champion
^.+\sprocess="(?<filename>.+?)".+$
0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...