Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Regex help to grab a process

dsmeerkat
Explorer
‎11-22-2022 09:08 PM

So I have some data like below in my _raw:

Name: BES Client, Running as: LocalSystem, Path: ""C:\Program Files (x86)\BigFix Enterprise\BES Client\BESClient.exe"", SHA1: 5bf0d29324081f2f830f7e66bba7aa5cb1c46047
Name: BESClientHelper, Running as: LocalSystem, Path: ""C:\Program Files (x86)\BigFix Enterprise\BES Client\BESClientHelper.exe"", SHA1: c989ae2278a9f8d6d5c5ca90fca6a57d19b168b8 
Name: svchost.exe, PID: 424, PPID: 432, ( Started up: Mon, 19 Sep 2022 03:41:57 -0700 ), Running as: NT AUTHORITY\LOCAL SERVICE, Path: C:\Windows\System32\svchost.exe, SHA1: 3196f45b269a614a3926efc032fc9d75017f27e8
Name: scsrvc.exe, PID: 1384, PPID: 432, ( Started up: Mon, 19 Sep 2022 03:42:34 -0700 ), Running as: NT AUTHORITY\SYSTEM, Path: C:\Program Files\McAfee\Solidcore\scsrvc.exe, SHA1: ef1cc70f3e052a6c480ac2fe8cdfe21a502669cc

I am trying to parse out just the "running" process name like "BES Client" or "BESClientHelper", however it has to have the text "Running" behind it so I know its a running process. Not the two "exe" files crossed out above.

Make sense? 🙂 Thanks!!

Labels (1)
Labels
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎11-22-2022 09:20 PM

This will give you a process field with the name of the process if it has the "Running" text after.

| rex "Name: (?<process>[^,]*), Running"

 

0 Karma
Reply

dsmeerkat
Explorer
‎11-23-2022 07:44 AM

This doesn't quite work as it grabs the first "Name: " it sees in the raw and in my case spits out "Adobe Acrobat" and then stops....is there a way to keep it going naming all the "Name: xxxxxxxx, Running". Does that make sense?

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎11-23-2022 01:58 PM

@dsmeerkat 

yes, I assumed these were separate rows, but if this is one big _raw event, then use the max_match=0 param with rex that will make a multi value field with all the found matches of the regex.

Here is an example with your data as a single event

| makeresults
| eval _raw="Name: BES Client, Running as: LocalSystem, Path: \"\"C:\Program Files (x86)\BigFix Enterprise\BES Client\BESClient.exe\"\", SHA1: 5bf0d29324081f2f830f7e66bba7aa5cb1c46047
Name: BESClientHelper, Running as: LocalSystem, Path: \"\"C:\Program Files (x86)\BigFix Enterprise\BES Client\BESClientHelper.exe\"\", SHA1: c989ae2278a9f8d6d5c5ca90fca6a57d19b168b8 
Name: svchost.exe, PID: 424, PPID: 432, ( Started up: Mon, 19 Sep 2022 03:41:57 -0700 ), Running as: NT AUTHORITY\LOCAL SERVICE, Path: C:\Windows\System32\svchost.exe, SHA1: 3196f45b269a614a3926efc032fc9d75017f27e8
Name: scsrvc.exe, PID: 1384, PPID: 432, ( Started up: Mon, 19 Sep 2022 03:42:34 -0700 ), Running as: NT AUTHORITY\SYSTEM, Path: C:\Program Files\McAfee\Solidcore\scsrvc.exe, SHA1: ef1cc70f3e052a6c480ac2fe8cdfe21a502669cc"
| rex max_match=0 "Name: (?<process>[^,]*), Running"
0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎11-22-2022 09:27 PM

You could append a search command to look for only those events.

| search process=*

  

0 Karma
Reply
Get Updates on the Splunk Community!

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...