Hi All,
I am trying to create a search that will parse our endpoint logs for any executable that have been run from the Desktop or Downloads folders and any sub folders. Most searches I try return a large number of false positives (product names or folders have desktop or downloads in the name, but they aren't specifically in that folder. So to combat this I'm trying to rex the specific folder. Using the regex I have below on regex101 it works exactly how I expect. However in splunk I get, first a missing parenthesis error, and if I arbitrarily add another close parenthesis I get "look back is not a fixed length" error. Thoughts?
sourcetype=endpointsource AND event_name=process_ran
| rex field=CommandLine "(?<=\\Desktop|Downloads\\)(?<EXE_RAN>.*\.exe)"
| table _time ComputerName TargetFileName EXE_RAN user
Example of it working on regex101: https://regex101.com/r/24uxEB/1
Thanks!
... View more