Hey Guys,
I seem to be struggling to pull out some what I thought would be simple searches.
An example result could look like this -
CommandLine: net share
So how would I run a search to bring back only "CommandLine: net share" from within eventsas the results and not every event that contains CommandLine: and or net and or share
Thanks
Try this:
"CommandLine: net share" | regex "(?m)[\r\n\s]CommandLine: net share"
Hey guys,
Thanks for the advice, still not working im afraid, I can see that it works on Regex101 also managed to get it working on Regex101 with ^[a-zA-Z]+:[\s[a-z]+\s[a-z]+$
When its thrown into Splunk it still doesn't work, I swappped the [ ] for ( ) too as [ ] dont work in Splunk.... Ill keep trying
🙂
Cheers
I updated my answer.
still the same i'm afraid no results... very much appreciate your assistance though 🙂
You must not swap []
for ()
because it completely changes the RegEx. Did you try mine exactly as I showed it or did you modify it?
exactly as yours pal
Hi AaronMoorcroft,
sorry but I'm not sure to have understood your question because answer is too easy:
do you want to insert in a search the exact string "CommandLine: net share" and not every single word?
if this is your question, answer is very simple:
index=my_index "CommandLine: net share"
In this way you're sure to find only the exact string and not the single words.
Bye.
Giuseppe
Hey Cusello,
you would think so right but that brings back no results for me at all, however if I do a ("CommandLine:" AND "net" AND "share" that will bring back some results as shown below however it brings back events that just contain either 1 or 2 of the other words where all I really want to see is events containing the exact match of "CommandLine: net share"
Dont worry the below systems are throw away lab systems so no corp data is available
Time Event
1/21/19
1:48:09.000 PM
01/21/2019 01:48:09 PM
LogName=Microsoft-Windows-Sysmon/Operational
SourceName=Microsoft-Windows-Sysmon
EventCode=1
EventType=4
Type=Information
ComputerName=DC01.PurpleHaze.local
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
TaskCategory=Process Create (rule: ProcessCreate)
OpCode=Info
RecordNumber=431111
Keywords=None
Message=Process Create:
RuleName:
UtcTime: 2019-01-21 13:48:09.340
ProcessGuid: {834924C0-CD99-5C45-0000-0010B3DAC700}
ProcessId: 4680
Image: C:\Windows\SysWOW64\net1.exe
FileVersion: 10.0.14393.0 (rs1_release.160715-1616)
Description: Net Command
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
CommandLine: C:\Windows\system32\net1 share
CurrentDirectory: C:\Windows\system32\
User: NT AUTHORITY\SYSTEM
LogonGuid: {834924C0-3E0A-5C40-0000-0020E7030000}
LogonId: 0x3E7
TerminalSessionId: 0
IntegrityLevel: System
Hashes: SHA1=382169595D5BBEB535C4575B3EC8CC7E5E933115
ParentProcessGuid: {834924C0-CD99-5C45-0000-00100FDAC700}
ParentProcessId: 1540
ParentImage: C:\Windows\SysWOW64\net.exe
ParentCommandLine: net share
Collapse
CommandLine = C:\Windows\system32\net1 share host = DC01 source = WinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype = WinEventLog:Microsoft-Windows-Sysmon/Operational
1/21/19
1:48:09.000 PM
01/21/2019 01:48:09 PM
LogName=Microsoft-Windows-Sysmon/Operational
SourceName=Microsoft-Windows-Sysmon
EventCode=1
EventType=4
Type=Information
ComputerName=DC01.PurpleHaze.local
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
TaskCategory=Process Create (rule: ProcessCreate)
OpCode=Info
RecordNumber=431110
Keywords=None
Message=Process Create:
RuleName:
UtcTime: 2019-01-21 13:48:09.330
ProcessGuid: {834924C0-CD99-5C45-0000-00100FDAC700}
ProcessId: 1540
Image: C:\Windows\SysWOW64\net.exe
FileVersion: 10.0.14393.0 (rs1_release.160715-1616)
Description: Net Command
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
CommandLine: net share
CurrentDirectory: C:\Windows\system32\
User: NT AUTHORITY\SYSTEM
LogonGuid: {834924C0-3E0A-5C40-0000-0020E7030000}
LogonId: 0x3E7
TerminalSessionId: 0
IntegrityLevel: System
Hashes: SHA1=B160F4462A4728BEC8FA053B99709622A4B4DD20
ParentProcessGuid: {834924C0-C9D7-5C45-0000-0010FCA2C500}
ParentProcessId: 3064
ParentImage: C:\Windows\SysWOW64\cmd.exe
ParentCommandLine: C:\Windows\system32\cmd.exe
Collapse
CommandLine = net share host = DC01 source = WinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype = WinEventLog:Microsoft-Windows-Sysmon/Operational
Hi AaronMoorcroft,
in the first sample you shared I see:
ParentCommandLine: net share
that matches your string but before the string there's an additional word, instead in the second one I see CommandLine: net share
that exactly matches your search.
To distinguish the two events, you could use the regex command:
| regex "\s+CommandLine: net share"
you can test it at https://regex101.com/r/N9cnAe/1
Bye.
Giuseppe