Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Regex match on "message" portion of event

montydo
Explorer
‎01-20-2020 03:04 AM

From the splunk windows_TA guide

"The following keys are equivalent to the fields which appear in the text of
the acquired events: Category CategoryString ComputerName EventCode
EventType Keywords LogName **Message** OpCode RecordNumber Sid SidType
SourceName TaskCategory Type User"

I'm trying to filter on the contents of the "Message" field:

An operation was attempted on a privileged object. Subject: Security ID:    ROOT\username Account Name: username Account Domain:    DOMAINNAME Logon ID:    0x200ABCD1 Object: Object Server:   Security Object Type:   - Object Name:  - Object Handle: 0x1234 Process Information: Process ID:    0x12A3 Process Name:    **C:\Program Files\Veeam\Backup and Replication\Console\veeam.backup.shell.exe** Requested Operation: Desired Access:   1234567 Privileges: SeTakeOwnershipPrivilege

I'm looking to match on the "C:\Program Files\Veeam\Backup and Replication\Console\veeam.backup.shell.exe" portion and discard the events through a blacklist stanza in the inputs.conf on the Universal Forwarder.

Something like:

blacklist3 = | key=regex [key=REGEXHERE?]

Is this possible? and can anyone help with the regex?

Tags (2)
0 Karma
Reply

damann
Communicator
‎01-20-2020 04:09 AM

Try this for your blacklisting.
Make sure you escape your backslashes and your dots as they would be interpreted as wildcards.

blacklist3 = Message="Process Name:\s+\*\*C:\\Program Files\\Veeam\\Backup and Replication\\Console\\veeam\.backup\.shell\.exe"
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-20-2020 04:07 AM

Hi @montydo,
let me understand: do you want to exclude from indexing all the events where there's the string "C:\Program Files\Veeam\Backup and Replication\Console\veeam.backup.shell.exe" ?
if this is your need you should use something like this:

[WinEventLog://Security]
disabled = 0
start_from = newest
blacklist1 = C:\\Program Files\\Veeam\\Backup and Replication\\Console\\veeam.backup\.shell\.exe
index = wineventlog

otherwise, you can filter these events on Indexers before indexing (see at https://docs.splunk.com/Documentation/Splunk/8.0.1/Forwarding/Routeandfilterdatad#Filter_event_data_... ) using the same regex.

Ciao.
Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...