To make it easier to understand and avoid confusion.
Assuming I have these kind of log entries:
2017-10-10 10:53 <dest_host = dest_host2.domain.com> <Host_Application = C: \Windows\SYSNATIVE\WINDOW~1\v1.0\powershell. exe -command stop-process -process name DeployControlFullScanSCEP*>
-force>
and
2017-10-10 10:55 <dest_host = dest_host1.domain.com> <Host_Application = C: \Windows\SYSNATIVE\WINDOW~1\v1.0\powershell. exe>
and a lookupfile called exclude.csv with the following structure:
host, dest_host, Host_Application
host1, dest_host1.domain.com, C:\Windows\SYSNATIVE\WINDOW~1\v1.0\powershell.exe
host2, dest_host2.domain.com, C:\Windows\SYSNATIVE\WINDOW~1\v1.0\powershell.exe -command stop-process -processname DeployControlFullScanSCEP* -force
To test my whitelisting I narrow down the results with the following search to get only these events.
index=powershell Host_Application="C:\\Windows\\SYSNATIVE\\WINDOW~1\\v1.0\\powershell.exe -command stop-process -processname DeployControlFullScanSCEP* -force" OR Host_Application="C:\\Windows\\SYSNATIVE\\WINDOW~1\\v1.0\\powershell.exe"
| table host dest_host Host_Application
I get the correct table:
host, dest_host, Host_Application
host1, dest_host1.domain.com, C:\Windows\SYSNATIVE\WINDOW~1\v1.0\powershell.exe
host2, dest_host2.domain.com, C:\Windows\SYSNATIVE\WINDOW~1\v1.0\powershell.exe -command stop-process -processname DeployControlFullScanSCEP* -force
Now it's time to make this result disappear through a inputlookup and see if the whitelisting works.
index=powershell Host_Application="C:\\Windows\\SYSNATIVE\\WINDOW~1\\v1.0\\powershell.exe -command stop-process -processname DeployControlFullScanSCEP* -force" OR Host_Application="C:\\Windows\\SYSNATIVE\\WINDOW~1\\v1.0\\powershell.exe" NOT
[| inputlookup exclude.csv | table * ]
It works but Splunk complains about the asterisk:
...contains a wildcard in the middle
of a word or string. This might cause
inconsistent results if the characters
that the wildcard represents include
punctuation.
I just can't figure out a solution that would satisfy Splunk. I hope that I was able to express my challenge more clearly.
... View more