Re: search does not match token which contains fil...

ToniHuynh · ‎08-17-2020

Hi Everyone,

I passed a token which contain a file path with some special character into a search but it does not show any result:

index=wineventlog EventCode=4660 OR EventCode=4663 Account_Name!="ANONYMOUS LOGON" host="MELFP" Account_Name!="*$" 
| eval ObjectName=urldecode("D:\Company Data\HR\Payroll\HR$ (MELFP02) (P) - Shortcut.lnk") 
| eval ObjectName=replace(ObjectName,"\\\\","\\\\\\")
| where match(Object_Name,ObjectName)
| table _time host Account_Name Account_Domain Object_Name Accesses EventCodeDescription 
| sort _time desc

However, If I compare directly as below then it would show result.

|search Object_Name="D:\\Company Data\\HR\Payroll\\HR$ (MELFP02) (P) - Shortcut.lnk"

Not sure why because if I shows the ObjectName, it is decoded correctly as below

"D:\\Company Data\\HR\Payroll\\HR$ (MELFP02) (P) - Shortcut.lnk"

richgalloway · ‎09-02-2020

Are Object_Name and ObjectName identical? If not, does ObjectName contain pattern characters that would produce a match with Object_Name?

---
If this reply helps you, Karma would be appreciated.

richgalloway · ‎08-18-2020

The second argument to the match function must be a valid regular expression. While you've taken the precaution to escape the backslash characters, you must also do so with the other regex special characters such as $, (, and ..

If that's too much effort (understandable), try the like function, instead.

---
If this reply helps you, Karma would be appreciated.

ToniHuynh · ‎09-01-2020

Thanks @richgalloway but like function still does not work for me.

| where like(Object_Name,ObjectName)

search does not match token which contains file path with special characters

search job inspector

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability