Re: Rex for drive letters

nashia · ‎05-22-2019

I only want to look at built in shares like A$-Z$, but not ADMIN$ or IPC$. Is there a rex expression that will allow me to do this?

rex field=share_name "(?[a-zA-Z]{1}+)\$+" works similarly, where I get A$, C$, D$, G$, etc; but it will also give me C$ from the end of IPC$ and N$ from the end of ADMIN$.

I guess what I need is to first only rex if there are two characters (letter + $)... Any help is appreciated.

FrankVl · ‎05-22-2019

What is in the share_name field? Just the short name, or a full url like \servername\c$?

harsmarvania57 · ‎05-22-2019

Hi,

Please try below regex

| rex field=share_name "^(?<drive>[a-zA-Z]\$)"

nashia · ‎05-22-2019

Hi, Thank you for your answer; unfortunately it does not work.

FrankVl · ‎05-22-2019

Can you be a bit more specific than "it does not work"?

FrankVl · ‎05-22-2019

Second z should be Z I guess? 😉

But yes, that should do the trick. If the share_name contains a full UNC path, try "\\(?<drive>[a-zA-Z]\$)"

harsmarvania57 · ‎05-22-2019

Thanks for pointing this. 🙂

Rex for drive letters

Index This | When is October more than just the tenth month?

Observe and Secure All Apps with Splunk

What’s New & Next in Splunk SOAR

Are you a member of the Splunk Community?

Rex for drive letters

Index This | When is October more than just the tenth month?

Observe and Secure All Apps with Splunk

What’s New & Next in Splunk SOAR