Solved: Re: Search for multiple apperances of a pattern in...

KMoryson · ‎04-28-2022

Hi, is there a way to search for more than one appearance of a pattern in a string?

For example:
Command
cmd.exe c:\windows\\\\\\\\sytem32\[...]
cmd.exe c:\windows\sytem32\[...]

I would want to search for rows with more than single consecutive "\" , in case of above only first row to be returned.

ITWhisperer · ‎04-28-2022

Have you even tried it?

Due to the way splunk escapes backslash in regex expressions, you need 4 backslashes to match a single backslash in the field, therefore 8 backslashes (as I have used), will find anything more than 1 in the field.

| makeresults
| eval _raw="cmd.exe c:\\windows\\\\\\\\\\\\\\\\sytem32\\[...]
cmd.exe c:\\\\windows\\\\sytem32\\\\[...]
cmd.exe c:\\windows\\sytem32\\[...]"
| multikv noheader=t
| regex _raw="\\\\\\\\"

View solution in original post

ITWhisperer · ‎04-28-2022

| regex _raw="\\\\\\\\"

KMoryson · ‎04-28-2022

This only matches to this specific amount of backslashes, I want to match for any number above one

ITWhisperer · ‎04-28-2022

Have you even tried it?

Due to the way splunk escapes backslash in regex expressions, you need 4 backslashes to match a single backslash in the field, therefore 8 backslashes (as I have used), will find anything more than 1 in the field.

| makeresults
| eval _raw="cmd.exe c:\\windows\\\\\\\\\\\\\\\\sytem32\\[...]
cmd.exe c:\\\\windows\\\\sytem32\\\\[...]
cmd.exe c:\\windows\\sytem32\\[...]"
| multikv noheader=t
| regex _raw="\\\\\\\\"

KMoryson · ‎04-28-2022

So sorry, you are right, this works wonderfully, thank you for help

Search for multiple apperances of a pattern in a field

eval

field extraction

regex

rex

Splunk Observability Cloud | Customer Survey!

Happy CX Day, Splunk Community!

.conf23 | Get Your Cybersecurity Defense Analyst Certification in Vegas