Splunk Search

regex to grab .exe files

splunkingsplun1
Explorer

these are my logs and i need to grab complete .exe filenames:

1366986567.625 41 94.229.0.20 TCP_DENIED/403 1896 GET http://193.142.244.17/lxkj3824y896yursilh/5492.exe cindy@demo.com NONE/- - BLOCK_WBRS-DefaultGroup-Demo_Clients-NONE-NONE-NONE - -

1366984129.742 47 27.35.11.11 NONE/503 1890 GET http://topwinsystemscan.com/install/installpv.exe maximus@demo.com NONE/topwinsystemscan.com - OTHER-NONE-Demo_Clients-NONE-NONE-DefaultRouting - -

1366965031.191 8 203.172.197.2 TCP_DENIED/403 1866 GET http://81.174.66.128/.comete/10.exe tom@demo.com NONE/- - BLOCK_WBRS-DefaultGroup-Demo_Clients-NONE-NONE-NONE - -

this is my progress so far:

| rex field=_raw "http://[a-z0-9./]+(?<EXE>)[A-Za-z0-9].exe)"

Tags (1)
0 Karma
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

Assuming you want the bit from after the slash (exclusive) to the .exe (inclusive), try something like this:

... | rex "/(?<filename>[^/]+?\.exe)"

This looks for a slash, then grabs as few non-slashes as possible until the first .exe mention. Note, this would fail if you have entries like foo/bar.exefile.something because it would recognize bar.exe - if you expect those cases then you can for example include the trailing space in the regular expression after the closing parenthesis.

View solution in original post

tgow
Splunk Employee
Splunk Employee

You are very close but try this one and see if it works for you:

... | rex field=_raw "\s+http://[a-zA-Z0-9./]+\/(?[^.]+).exe\s+"

the lookahead assertion might have been causing problems. I also grabbed everything up to the last slash then the field "exe" is populated with everything that is not a period. Just a different technique but hope this works out for you.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Assuming you want the bit from after the slash (exclusive) to the .exe (inclusive), try something like this:

... | rex "/(?<filename>[^/]+?\.exe)"

This looks for a slash, then grabs as few non-slashes as possible until the first .exe mention. Note, this would fail if you have entries like foo/bar.exefile.something because it would recognize bar.exe - if you expect those cases then you can for example include the trailing space in the regular expression after the closing parenthesis.

Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...