Splunk Search

Regex to pull a filename out of a process field path

jared_anderson
Path Finder

I want a regular expression to pull a file name out of a path that is the process field. The path could be any directory, and the filename could be named anything.

Sample logs.

Oct 25 14:47:20 server.domain.local Oct 25 14:47:19 172.23.0.24 system event: text="Modification (Create Key) of registry '\registry\machine\system\currentcontrolset\services\napagent\qecs\' by 'company\user' was allowed." type="Policy Enforcement" subtype="Report write (registry rule)" hostname="domain\computer" username="domain\user" date="10/25/2017 7:46:25 PM" ip_address="172.23.1.13" process="c:\windows\system32\mmc.exe" policy="Windows Medium Enforcement" rule_name="FIM_OSSEC" process_key="00000000-0000-15e8-01d3-490915c2f584" server_version="7.2.1.1903" process_trust="10" process_threat="0"

Oct 25 13:31:5""0 server2.domain.local Oct 25 13:31:43 172.23.0.24 1 2017-10-25T18:31:43Z server2.domain.local - - - - event: text="'c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\administrative tools' was created by 'domain\user'." type="Policy Enforcement" subtype="Report write (custom rule)" hostname="domain\user" username="domain\user" date="10/25/2017 6:30:38 PM" ip_address="172.16.1.12" process="c:\windows\system32\mmc.exe" file_path="c:\users\dccon\appdata\roaming\microsoft\windows\start menu\programs\administrative tools" file_name="administrative tools" policy="Windows High Enforcement" rule_name="FIM_Directory" process_key="00000000-0000-0848-01d3-4d9cda329d68" server_version="7.2.1.1903" process_trust="10" process_threat="0"

Tags (2)
0 Karma
1 Solution

gokadroid
Motivator

Try this to get filename and directory in two separate fields.

your query to return events 
| rex "\sprocess=\"(?<directory>(\S+\\))(?<filename>[^\"]+)\""
| table directory, filename

See above regex here

If you need all in one field called file then try this

your query to return events
| rex "\sprocess=\"(?<file>[^\"]+)\""

See above regex here

View solution in original post

0 Karma

gokadroid
Motivator

Try this to get filename and directory in two separate fields.

your query to return events 
| rex "\sprocess=\"(?<directory>(\S+\\))(?<filename>[^\"]+)\""
| table directory, filename

See above regex here

If you need all in one field called file then try this

your query to return events
| rex "\sprocess=\"(?<file>[^\"]+)\""

See above regex here

0 Karma

jared_anderson
Path Finder

Ah, so i didn't account for file paths with spaces like below.

Oct 26 07:51:38 server.domain.local Oct 26 07:51:37 172.23.0.24 system event: text="'c:\users\user\appdata\locallow\microsoft\cryptneturlcache\metadata\7396c420a8e1bc1da97f1af0d10bad21' was created by 'domain\user'." type="Policy Enforcement" subtype="Report write (custom rule)" hostname="domain\user" username="domain\user" date="10/26/2017 12:50:01 PM" ip_address="172.12.0.12" process="c:\program files\microsoft sql server\mssql10_50.mssqlserver\mssql\binn\databasemail.exe" file_path="c:\users\user\appdata\locallow\microsoft\cryptneturlcache\metadata\7396c420a8e1bc1da97f1af0d10bad21" file_name="7396c420a8e1bc1da97f1af0d10bad21" policy="Windows High Enforcement" rule_name="FIM_Directory" process_key="00000000-0000-1bc4-01d3-4e58efc90f89" server_version="7.2.1.1903" process_trust="10" process_threat="0"

0 Karma

jared_anderson
Path Finder

process=".+\(?[^"]+)" (policy|file_path)=

0 Karma

Damien_Dallimor
Ultra Champion
^.+\sprocess="(?<filename>.+?)".+$
0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...