Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk search removing ../ automatically

AceOfSpades
Engager
‎06-07-2021 07:02 AM

I am currently working on a log and filtering data.

Splunk has identified uri_query as a field.

I have come across an event with the uri_query  field "src=../../../../wp-config.php".

However, when I try and search uri_query="src=../../../../wp-config.php", Splunk automatically removes "../../../".

This shortens the search to uri_query="src=wp-config.php", causing the search to return with no results.

Any help to solve the issue of "../../../" being removed would be appreciated! 

Labels (2)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎06-07-2021 07:25 AM

Try putting the search string in double quotes and escaping the (now) embedded double quotes

| makeresults
| eval _raw="blah blah url_query=\"src=../../../../wp-config.php\" blah blah"
| search "url_query=\"src=../../../../wp-config.php\""
Reply

AceOfSpades
Engager
‎06-08-2021 02:02 AM

Thank you for your help.

Unfortunately the issue is persisting.  I have tried manually searching for events using "View events" (see screenshot) however, after clicking, the search still removes "../" , leading to no results.

Before clicking "View events"Before clicking "View events"

After clicking "View events". Note "../" removed.After clicking "View events". Note "../" removed.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎06-08-2021 02:15 AM

So the issue is with how the gui sets up the search not with the search itself (when it is modified with the escaped quotes as I showed)?

Which version of splunk are you using?

0 Karma
Reply

AceOfSpades
Engager
‎06-08-2021 02:33 AM

I was initially searching via the search bar using a method similar to yours. I have tried using the escape quotes as you suggested but again it removes "../". 

Version: 8.2.0

Build: e053ef3c985f

0 Karma
Reply
Get Updates on the Splunk Community!

Unlock Database Monitoring with Splunk Observability Cloud

  In today’s fast-paced digital landscape, even minor database slowdowns can disrupt user experiences and ...

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

At Cisco, purpose isn’t a tagline—it’s a commitment. Cisco’s FY25 Purpose Report outlines how the company is ...

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

Join us for a live Demo Day at the Cisco Store on January 21st 10:00am - 11:00am PST In the fast-paced world ...