Splunk Search

Regular Expression to Extract Values From a Field

Bytes
Explorer

Hello Ninjas,

Am having some trouble trying to figure out how to use regex to perform a simple action.

So I have a field called Caller_Process_Name which has the value of C:\Windows\System32\explorer.exe

I want to take the "explorer.exe" part out of this field and place it in a new field (called process_name_short). So I see regex as the solution here.

I have been trying the following but I do not believe I am using regex correctly in Splunk and the documentation isn't very helpful.

| rex field=Caller_Process_Name (?<process_name_short>/(\w+)\.(\w+)$/)

I'm sure my regex is solid as it pulls out only the explorer.exe part of the string in the online regex testers.

Would anyone be willing to show me what I'm not doing right here please.

Thanks 🙂

0 Karma
1 Solution

jmallorquin
Builder

Hi you can use this.

 | rex field=Caller_Process_Name "(?<process_name_short>[^\\]+$)"

Hope i help you

View solution in original post

Bytes
Explorer

Apologies. There should be back slashes instead of forward slashes in the UNC path. Had to use forward slashes on the question as it wouldn't allow back slashes.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Backslashes are allowed if you put the string within backtics. I've edited your question to use the right slashes.

---
If this reply helps you, Karma would be appreciated.

Bytes
Explorer

Thank you! 🙂

0 Karma

javiergn
Super Champion

See my answer below. I did answer both cases

0 Karma

ArthurGautesen
Path Finder

Two questions off the top.
Is it "C:/Windows/System32/explorer.exe" or "C:\Windows\System32\explorer.exe" ?

And are you enclosing your regular expression in quotes?

0 Karma

Bytes
Explorer

It should be back slashes as it is a normal Windows path. I added forward slashes as it wouldn't allow back slashes (as your answer shows 🙂 )

I wasn't using quotes but even if I do, it still fails to extract the value and place it in a new field named process_name_short.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Quotes are required. The extraction failed because the regex is incorrect.

---
If this reply helps you, Karma would be appreciated.
0 Karma

jmallorquin
Builder

Hi you can use this.

 | rex field=Caller_Process_Name "(?<process_name_short>[^\\]+$)"

Hope i help you

Bytes
Explorer

Needed three slashes as the second was cancelling out the end square bracket.

But IT WORKED!

Here's the full command that worked:

| rex field=Caller_Process_Name "(?<process_name_short>[^\\\]+$)"

This pulls out the program name part of the path and places it in a new field called process_name_short which I was able to run a stats command on to count up the different programs throwing audit fails.

Thanks everyone!

0 Karma

javiergn
Super Champion

Try this:

| rex field=Caller_Process_Name "\/(?<process_name_short>[^\/]+$)"
0 Karma

javiergn
Super Champion

And the equivalent for Windows paths:

| rex field=Caller_Process_Name "\\\(?<process_name_short>[^\\\]+$)"
0 Karma

Bytes
Explorer

Nope neither worked. Got the error returned:

Error in 'rex' command: Encountered the following error while compiling the regex '\

0 Karma

jmallorquin
Builder

this regex doesn't capture nothing... use mine 🙂

javiergn
Super Champion

That's because I made a typo sorry:

 | rex field=Caller_Process_Name "\\\(?<process_name_short>[^\\\]+$)"
0 Karma

javiergn
Super Champion

alt text

0 Karma

dcharboneau_spl
Splunk Employee
Splunk Employee

You should only have two (not three) backslashes at the beginning of the REX and in side the Brackets after the ^.

0 Karma

javiergn
Super Champion

It throws an error with two, I had to use three. See the picture above.
This works:

| stats count
| eval Caller_Process_Name = "C:\Windows\System32\explorer.exe"
| rex field=Caller_Process_Name "\\\(?<process_name_short>[^\\\]+$)"

This doesn't:

| stats count
| eval Caller_Process_Name = "C:\Windows\System32\explorer.exe"
| rex field=Caller_Process_Name "\\(?<process_name_short>[^\\]+$)"

Anyway, let's focus on the actual problem and not mine's 🙂

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Your regular expression doesn't match the example value. Working on regex101.com, I came up with this rex command.

... | rex field=Caller_Process_Name "\\(?<process_name_short>\w+\.\w+)$" | ...
---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

We love our Splunk Community and want you to feel inspired by all your hard work! Eric Fusilero, our VP of ...