Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

search does not match token which contains file path with special characters

ToniHuynh
Explorer
‎08-17-2020 10:39 PM

Hi Everyone,

I passed a token which contain a file path with some special character into a search but it does not show any result:

 

index=wineventlog EventCode=4660 OR EventCode=4663 Account_Name!="ANONYMOUS LOGON" host="MELFP" Account_Name!="*$" 
| eval ObjectName=urldecode("D:\Company Data\HR\Payroll\HR$ (MELFP02) (P) - Shortcut.lnk") 
| eval ObjectName=replace(ObjectName,"\\\\","\\\\\\")
| where match(Object_Name,ObjectName)
| table _time host Account_Name Account_Domain Object_Name Accesses EventCodeDescription 
| sort _time desc

 

 

However, If I compare directly as below then it would show result.

 

|search Object_Name="D:\\Company Data\\HR\Payroll\\HR$ (MELFP02) (P) - Shortcut.lnk"

 

 

Not sure why because if I shows the ObjectName, it is decoded correctly as below

"D:\\Company Data\\HR\Payroll\\HR$ (MELFP02) (P) - Shortcut.lnk"

 

Labels (1)
Labels
Tags (1)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎09-02-2020 06:02 AM

Are Object_Name and ObjectName identical?  If not, does ObjectName contain pattern characters that would produce a match with Object_Name?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎08-18-2020 06:42 AM

The second argument to the match function must be a valid regular expression.  While you've taken the precaution to escape the backslash characters, you must also do so with the other regex special characters such as $, (, and ..

If that's too much effort (understandable), try the like function, instead.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

ToniHuynh
Explorer
‎09-01-2020 05:03 PM

Thanks @richgalloway but like function still does not work for me.

| where like(Object_Name,ObjectName)
0 Karma
Reply
Get Updates on the Splunk Community!

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...