Splunk Search

Simple search extraction for lines of text with spaces ???

AaronMoorcroft
Communicator

Hey Guys,

I seem to be struggling to pull out some what I thought would be simple searches.

An example result could look like this -

CommandLine: net share

So how would I run a search to bring back only "CommandLine: net share" from within eventsas the results and not every event that contains CommandLine: and or net and or share

Thanks

0 Karma

woodcock
Esteemed Legend

Try this:

"CommandLine: net share" | regex "(?m)[\r\n\s]CommandLine: net share"
0 Karma

AaronMoorcroft
Communicator

Hey guys,

Thanks for the advice, still not working im afraid, I can see that it works on Regex101 also managed to get it working on Regex101 with ^[a-zA-Z]+:[\s[a-z]+\s[a-z]+$

When its thrown into Splunk it still doesn't work, I swappped the [ ] for ( ) too as [ ] dont work in Splunk.... Ill keep trying

🙂

Cheers

0 Karma

woodcock
Esteemed Legend

I updated my answer.

0 Karma

AaronMoorcroft
Communicator

still the same i'm afraid no results... very much appreciate your assistance though 🙂

0 Karma

woodcock
Esteemed Legend

You must not swap [] for () because it completely changes the RegEx. Did you try mine exactly as I showed it or did you modify it?

0 Karma

AaronMoorcroft
Communicator

exactly as yours pal

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi AaronMoorcroft,
sorry but I'm not sure to have understood your question because answer is too easy:
do you want to insert in a search the exact string "CommandLine: net share" and not every single word?

if this is your question, answer is very simple:

index=my_index "CommandLine: net share"

In this way you're sure to find only the exact string and not the single words.

Bye.
Giuseppe

0 Karma

AaronMoorcroft
Communicator

Hey Cusello,

you would think so right but that brings back no results for me at all, however if I do a ("CommandLine:" AND "net" AND "share" that will bring back some results as shown below however it brings back events that just contain either 1 or 2 of the other words where all I really want to see is events containing the exact match of "CommandLine: net share"

Dont worry the below systems are throw away lab systems so no corp data is available

Time Event
1/21/19
1:48:09.000 PM

01/21/2019 01:48:09 PM
LogName=Microsoft-Windows-Sysmon/Operational
SourceName=Microsoft-Windows-Sysmon
EventCode=1
EventType=4
Type=Information
ComputerName=DC01.PurpleHaze.local
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
TaskCategory=Process Create (rule: ProcessCreate)
OpCode=Info
RecordNumber=431111
Keywords=None
Message=Process Create:
RuleName:
UtcTime: 2019-01-21 13:48:09.340
ProcessGuid: {834924C0-CD99-5C45-0000-0010B3DAC700}
ProcessId: 4680
Image: C:\Windows\SysWOW64\net1.exe
FileVersion: 10.0.14393.0 (rs1_release.160715-1616)
Description: Net Command
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
CommandLine: C:\Windows\system32\net1 share
CurrentDirectory: C:\Windows\system32\
User: NT AUTHORITY\SYSTEM
LogonGuid: {834924C0-3E0A-5C40-0000-0020E7030000}
LogonId: 0x3E7
TerminalSessionId: 0
IntegrityLevel: System
Hashes: SHA1=382169595D5BBEB535C4575B3EC8CC7E5E933115
ParentProcessGuid: {834924C0-CD99-5C45-0000-00100FDAC700}
ParentProcessId: 1540
ParentImage: C:\Windows\SysWOW64\net.exe
ParentCommandLine: net share
Collapse
CommandLine = C:\Windows\system32\net1 share host = DC01 source = WinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype = WinEventLog:Microsoft-Windows-Sysmon/Operational

1/21/19
1:48:09.000 PM

01/21/2019 01:48:09 PM
LogName=Microsoft-Windows-Sysmon/Operational
SourceName=Microsoft-Windows-Sysmon
EventCode=1
EventType=4
Type=Information
ComputerName=DC01.PurpleHaze.local
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
TaskCategory=Process Create (rule: ProcessCreate)
OpCode=Info
RecordNumber=431110
Keywords=None
Message=Process Create:
RuleName:
UtcTime: 2019-01-21 13:48:09.330
ProcessGuid: {834924C0-CD99-5C45-0000-00100FDAC700}
ProcessId: 1540
Image: C:\Windows\SysWOW64\net.exe
FileVersion: 10.0.14393.0 (rs1_release.160715-1616)
Description: Net Command
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
CommandLine: net share
CurrentDirectory: C:\Windows\system32\
User: NT AUTHORITY\SYSTEM
LogonGuid: {834924C0-3E0A-5C40-0000-0020E7030000}
LogonId: 0x3E7
TerminalSessionId: 0
IntegrityLevel: System
Hashes: SHA1=B160F4462A4728BEC8FA053B99709622A4B4DD20
ParentProcessGuid: {834924C0-C9D7-5C45-0000-0010FCA2C500}
ParentProcessId: 3064
ParentImage: C:\Windows\SysWOW64\cmd.exe
ParentCommandLine: C:\Windows\system32\cmd.exe
Collapse
CommandLine = net share host = DC01 source = WinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype = WinEventLog:Microsoft-Windows-Sysmon/Operational

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi AaronMoorcroft,
in the first sample you shared I see:
ParentCommandLine: net share that matches your string but before the string there's an additional word, instead in the second one I see CommandLine: net share that exactly matches your search.
To distinguish the two events, you could use the regex command:

| regex "\s+CommandLine: net share"

you can test it at https://regex101.com/r/N9cnAe/1

Bye.
Giuseppe

0 Karma
Get Updates on the Splunk Community!

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

See your relevant APM services, dashboards, and alerts in one place with the updated ...

As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...

Index This | What goes away as soon as you talk about it?

May 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this month’s ...