Re: Using regex to drop specific events

rdevine · ‎03-01-2012

i have an event that looks like this

03/01/2012 03:05:43 PM LogName=Security SourceName=Security EventCode=562 EventType=8 Type=Success Audit ComputerName=GLSSQLINT User=SYSTEM Sid=S-1-5-18 SidType=1 Category=3 CategoryString=Object Access RecordNumber=250015 Message=Handle Closed:

Object Server:  Security

Handle ID:  940

Process ID: 1288

Image File Name:    C:\Program Files\ISS\Proventia Server\phService.exe

I want these messages to be dropped if both type=success audit AND CategoryString=Object Access, however when i create the regex to do this which i think is supposed to be
(?m)(?=.*Type=Success Audit)(?=.*CategoryString=Object Access)
it doesn't seem to work. What am I doing wrong?

rdevine · ‎03-02-2012

ultimately this worked.

(?ms)(?=Success\sAudit)(?=.*CategoryString=Object\sAccess)

lguinn2 · ‎03-02-2012

Good catch. You definitely needed the (?ms) not just the (?m)

lguinn2 · ‎03-01-2012

I think that the following would do it. Not sure why you are using lookahead - it isn't needed here.

(?m)Type=Success Audit.*CategoryString=Object Access

rdevine · ‎03-02-2012

I tried this and it did not work.

Using regex to drop specific events

Leveraging Detections from the Splunk Threat Research Team & Cisco Talos

New in Splunk Observability Cloud: Automated Archiving for Unused Metrics

Calling All Security Pros: Ready to Race Through Boston?

Are you a member of the Splunk Community?

Using regex to drop specific events

Leveraging Detections from the Splunk Threat Research Team & Cisco Talos

New in Splunk Observability Cloud: Automated Archiving for Unused Metrics

Calling All Security Pros: Ready to Race Through Boston?