Splunk Search

Simple search extraction for lines of text with spaces ???

AaronMoorcroft
Communicator

Hey Guys,

I seem to be struggling to pull out some what I thought would be simple searches.

An example result could look like this -

CommandLine: net share

So how would I run a search to bring back only "CommandLine: net share" from within eventsas the results and not every event that contains CommandLine: and or net and or share

Thanks

0 Karma

woodcock
Esteemed Legend

Try this:

"CommandLine: net share" | regex "(?m)[\r\n\s]CommandLine: net share"
0 Karma

AaronMoorcroft
Communicator

Hey guys,

Thanks for the advice, still not working im afraid, I can see that it works on Regex101 also managed to get it working on Regex101 with ^[a-zA-Z]+:[\s[a-z]+\s[a-z]+$

When its thrown into Splunk it still doesn't work, I swappped the [ ] for ( ) too as [ ] dont work in Splunk.... Ill keep trying

🙂

Cheers

0 Karma

woodcock
Esteemed Legend

I updated my answer.

0 Karma

AaronMoorcroft
Communicator

still the same i'm afraid no results... very much appreciate your assistance though 🙂

0 Karma

woodcock
Esteemed Legend

You must not swap [] for () because it completely changes the RegEx. Did you try mine exactly as I showed it or did you modify it?

0 Karma

AaronMoorcroft
Communicator

exactly as yours pal

0 Karma

gcusello
Legend

Hi AaronMoorcroft,
sorry but I'm not sure to have understood your question because answer is too easy:
do you want to insert in a search the exact string "CommandLine: net share" and not every single word?

if this is your question, answer is very simple:

index=my_index "CommandLine: net share"

In this way you're sure to find only the exact string and not the single words.

Bye.
Giuseppe

0 Karma

AaronMoorcroft
Communicator

Hey Cusello,

you would think so right but that brings back no results for me at all, however if I do a ("CommandLine:" AND "net" AND "share" that will bring back some results as shown below however it brings back events that just contain either 1 or 2 of the other words where all I really want to see is events containing the exact match of "CommandLine: net share"

Dont worry the below systems are throw away lab systems so no corp data is available

Time Event
1/21/19
1:48:09.000 PM

01/21/2019 01:48:09 PM
LogName=Microsoft-Windows-Sysmon/Operational
SourceName=Microsoft-Windows-Sysmon
EventCode=1
EventType=4
Type=Information
ComputerName=DC01.PurpleHaze.local
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
TaskCategory=Process Create (rule: ProcessCreate)
OpCode=Info
RecordNumber=431111
Keywords=None
Message=Process Create:
RuleName:
UtcTime: 2019-01-21 13:48:09.340
ProcessGuid: {834924C0-CD99-5C45-0000-0010B3DAC700}
ProcessId: 4680
Image: C:\Windows\SysWOW64\net1.exe
FileVersion: 10.0.14393.0 (rs1_release.160715-1616)
Description: Net Command
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
CommandLine: C:\Windows\system32\net1 share
CurrentDirectory: C:\Windows\system32\
User: NT AUTHORITY\SYSTEM
LogonGuid: {834924C0-3E0A-5C40-0000-0020E7030000}
LogonId: 0x3E7
TerminalSessionId: 0
IntegrityLevel: System
Hashes: SHA1=382169595D5BBEB535C4575B3EC8CC7E5E933115
ParentProcessGuid: {834924C0-CD99-5C45-0000-00100FDAC700}
ParentProcessId: 1540
ParentImage: C:\Windows\SysWOW64\net.exe
ParentCommandLine: net share
Collapse
CommandLine = C:\Windows\system32\net1 share host = DC01 source = WinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype = WinEventLog:Microsoft-Windows-Sysmon/Operational

1/21/19
1:48:09.000 PM

01/21/2019 01:48:09 PM
LogName=Microsoft-Windows-Sysmon/Operational
SourceName=Microsoft-Windows-Sysmon
EventCode=1
EventType=4
Type=Information
ComputerName=DC01.PurpleHaze.local
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
TaskCategory=Process Create (rule: ProcessCreate)
OpCode=Info
RecordNumber=431110
Keywords=None
Message=Process Create:
RuleName:
UtcTime: 2019-01-21 13:48:09.330
ProcessGuid: {834924C0-CD99-5C45-0000-00100FDAC700}
ProcessId: 1540
Image: C:\Windows\SysWOW64\net.exe
FileVersion: 10.0.14393.0 (rs1_release.160715-1616)
Description: Net Command
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
CommandLine: net share
CurrentDirectory: C:\Windows\system32\
User: NT AUTHORITY\SYSTEM
LogonGuid: {834924C0-3E0A-5C40-0000-0020E7030000}
LogonId: 0x3E7
TerminalSessionId: 0
IntegrityLevel: System
Hashes: SHA1=B160F4462A4728BEC8FA053B99709622A4B4DD20
ParentProcessGuid: {834924C0-C9D7-5C45-0000-0010FCA2C500}
ParentProcessId: 3064
ParentImage: C:\Windows\SysWOW64\cmd.exe
ParentCommandLine: C:\Windows\system32\cmd.exe
Collapse
CommandLine = net share host = DC01 source = WinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype = WinEventLog:Microsoft-Windows-Sysmon/Operational

0 Karma

gcusello
Legend

Hi AaronMoorcroft,
in the first sample you shared I see:
ParentCommandLine: net share that matches your string but before the string there's an additional word, instead in the second one I see CommandLine: net share that exactly matches your search.
To distinguish the two events, you could use the regex command:

| regex "\s+CommandLine: net share"

you can test it at https://regex101.com/r/N9cnAe/1

Bye.
Giuseppe

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...