Splunk Search

Regex to pull a filename out of a process field path

Path Finder

I want a regular expression to pull a file name out of a path that is the process field. The path could be any directory, and the filename could be named anything.

Sample logs.

Oct 25 14:47:20 server.domain.local Oct 25 14:47:19 172.23.0.24 system event: text="Modification (Create Key) of registry '\registry\machine\system\currentcontrolset\services\napagent\qecs\' by 'company\user' was allowed." type="Policy Enforcement" subtype="Report write (registry rule)" hostname="domain\computer" username="domain\user" date="10/25/2017 7:46:25 PM" ipaddress="172.23.1.13" process="c:\windows\system32\mmc.exe" policy="Windows Medium Enforcement" rulename="FIMOSSEC" processkey="00000000-0000-15e8-01d3-490915c2f584" serverversion="7.2.1.1903" processtrust="10" process_threat="0"

Oct 25 13:31:5""0 server2.domain.local Oct 25 13:31:43 172.23.0.24 1 2017-10-25T18:31:43Z server2.domain.local - - - - event: text="'c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\administrative tools' was created by 'domain\user'." type="Policy Enforcement" subtype="Report write (custom rule)" hostname="domain\user" username="domain\user" date="10/25/2017 6:30:38 PM" ipaddress="172.16.1.12" process="c:\windows\system32\mmc.exe" filepath="c:\users\dccon\appdata\roaming\microsoft\windows\start menu\programs\administrative tools" filename="administrative tools" policy="Windows High Enforcement" rulename="FIMDirectory" processkey="00000000-0000-0848-01d3-4d9cda329d68" serverversion="7.2.1.1903" processtrust="10" process_threat="0"

Tags (2)
0 Karma
1 Solution

Motivator

Try this to get filename and directory in two separate fields.

your query to return events 
| rex "\sprocess=\"(?<directory>(\S+\\))(?<filename>[^\"]+)\""
| table directory, filename

See above regex here

If you need all in one field called file then try this

your query to return events
| rex "\sprocess=\"(?<file>[^\"]+)\""

See above regex here

View solution in original post

0 Karma

Motivator

Try this to get filename and directory in two separate fields.

your query to return events 
| rex "\sprocess=\"(?<directory>(\S+\\))(?<filename>[^\"]+)\""
| table directory, filename

See above regex here

If you need all in one field called file then try this

your query to return events
| rex "\sprocess=\"(?<file>[^\"]+)\""

See above regex here

View solution in original post

0 Karma

Path Finder

Ah, so i didn't account for file paths with spaces like below.

Oct 26 07:51:38 server.domain.local Oct 26 07:51:37 172.23.0.24 system event: text="'c:\users\user\appdata\locallow\microsoft\cryptneturlcache\metadata\7396c420a8e1bc1da97f1af0d10bad21' was created by 'domain\user'." type="Policy Enforcement" subtype="Report write (custom rule)" hostname="domain\user" username="domain\user" date="10/26/2017 12:50:01 PM" ipaddress="172.12.0.12" process="c:\program files\microsoft sql server\mssql1050.mssqlserver\mssql\binn\databasemail.exe" filepath="c:\users\user\appdata\locallow\microsoft\cryptneturlcache\metadata\7396c420a8e1bc1da97f1af0d10bad21" filename="7396c420a8e1bc1da97f1af0d10bad21" policy="Windows High Enforcement" rulename="FIMDirectory" processkey="00000000-0000-1bc4-01d3-4e58efc90f89" serverversion="7.2.1.1903" processtrust="10" processthreat="0"

0 Karma

Path Finder

process=".+\(?[^"]+)" (policy|file_path)=

0 Karma

Ultra Champion
^.+\sprocess="(?<filename>.+?)".+$
0 Karma