Splunk Regex never works when entered second folde...

Cramery_

Hi

So I ran into a very odd and specific issue. I trx to regex-Filter a field, lets call it "parent". The field has the following structure: (not actual, the field I wanna regex, but easier to show the issue, so other options like "use .* or something wont work)
C:\\Windows\\System32\\test\\
I try to regex this field like:
"C:\\\\Windows\\\\System32\\\\test\\\\"
This does not work

But as soon as I delete this second folder
"C:\\\\Windows\\\\.*\\\\test\\\\"
it works.

And this will be over all fields, no matter which field with a path I take, as soon as I enter this second folder, it will immediately stop working. I also tried to add different special characters, all numbers and letters, space, tab etc. also tried to change the "\\\\", Adding ".*System32.*" but nothing works out.

Someone else ever ran into this issue and got a solution?

yuanliu

Like @gcusello says, matching backslash is tricky. This is because backslash is used as an escape character so special characters can be used as literal. This applies to backslash itself as well. This needs to be taken into consideration whenever an interpreter/compiler uses backslash as an escape character.

When you run rex (or any function that uses regex) in a search command, two interpreters act on the string in between double quotes: the regex engine and SPL interpreter. As such, to match two consecutive backslashes, you need 8 backslashes instead of 4. Try this:

| makeresults format=csv data="myregex
C:\\\\Windows\\\\System32\\\\test\\\\
C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\test\\\\\\\\"
| eval parent = "C:\\\\Windows\\\\System32\\\\test\\\\"
| eval match_or_not = if(match(parent, myregex), "yes", "no")

The result is

match_or_not	myregex	parent
no	C:\\Windows\\System32\\test\\	C:\\Windows\\System32\\test\\
yes	C:\\\\Windows\\\\System32\\\\test\\\\	C:\\Windows\\System32\\test\\

This test illustrates the same thing:

| makeresults format=csv data="parent
C:\\\\Windows\\\\System32\\\\test\\\\"
| eval match_or_not1 = if(match(parent, "C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\test\\\\\\\\"), "yes", "no")
| eval match_or_not2 = if(match(parent, "C:\\\\Windows\\\\System32\\\\test\\\\"), "yes", "no")

match_or_not1	match_or_not2	parent
yes	no	C:\\Windows\\System32\\test\\

If you look around, SPL is not the only interpreter that interprets strings in between double quotes. For example, in order to produce your test string "C:\\Windows\\System32\\test\\" using echo command in shell, you use

% echo "C:\\\\\\Windows\\\\\\System32\\\\\\\\test\\\\\\"
#         ^6x          ^6x           ^7x         ^6x
C:\\Windows\\System32\\test\\

I will leave it as homework to figure out why one segment needs 7 backslashes.

gcusello

Hi @Cramery_ ,

could you share a sample of your complete logs (aventually anonymized)?

Anyway, when there's a backslash, it's always a problem because you need to add more backslashes than usual on regex101.com.

Do you need to use the regex in a search or in conf files?

if in conf files, use the number of backslashes that you use in regex101, if in a search add one backslash.

Ciao.

Giuseppe

Splunk Regex never works when entered second folder

regex

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?