Lookup doesn't work with wildcard within strings

VK18 · ‎10-01-2023

We are currently using a regex pattern to match events against our raw data, and it works perfectly when we use the search app. The pattern we are using is:

C:\\Windows\\system32\\cmd\.exe*C:\\ProgramData\\Symantec\\Symantec Endpoint Protection\\14\.3\.8289\.5000\.105\\Data\\Definitions\\WebExtDefs\\20230830\.063\\webextbridge\.exe*

However, when we try to use this regex pattern in a lookup table, the events are not being matched. This seems to be because of the wildcard in the pattern. Despite defining the field name in the lookup definition (e.g., WILDCARD(process)), it still doesn't match the events.

I'm wondering if Splunk lookup supports wildcards within strings, or does it only support them at the beginning and end of strings?

Any insights or guidance on this matter would be greatly appreciated.

Regards
VK

bowesmana · ‎10-03-2023

Splunk does not support regex patterns in lookups, ONLY wildcards, i.e. *, so your escaped . characters and \ characters should not be in the lookup.

Your pattern is a bit odd in that it has

C:\\Windows\\system32\\cmd\.exe*C:\\P...

where the * in that, if it is a regex, is saying you need to repeat the preceding 'e' character 0 or more times.

If your process field contains C:\Windows\system32\cmd.exe ... then that should be the entry in the lookup and in the lookup entry you add * characters where you want to match any character in the data.

That * wildcarding is all that is supported in lookups.

VK18 · ‎10-04-2023

Hi @bowesmana ,

Thank you for clarifying that Splunk lookup does not support regex patterns.

I have just attempted to include the following event in the Splunk lookup, with a wildcard at the end, in order to match other events occurring after "webextbridge.exe." But, looks like it is not working

Original event :-
C:\Windows\system32\cmd.exe /d /c C:\ProgramData\Symantec\Symantec Endpoint Protection\14.3.XXXX.5000.105\Data\Definitions\WebExtDefs\20230830.063\webextbridge.exe chrome-extension://XXXXXXXXXXXXXXXXXXXXXXXXXXXXX/ --parent-window=0 < \\.\pipe\chrome.nativeMessaging.in.XXXXXXXXXXXa3 > \\.\pipe\chrome.nativeMessaging.out.10f754de9b9001a3

Splunk lookup table field value :-
"C:\Windows\system32\cmd.exe /d /c C:\ProgramData\Symantec\Symantec Endpoint Protection\14.3.8289.5000.105\Data\Definitions\WebExtDefs\20230830.063\webextbridge.exe*"

Regards
VK

bowesmana · ‎10-04-2023

That is really interesting and you are right - I tried these variants

C:\Windows\system32\cmd.exe /d /c C:\ProgramData\Symantec\Symantec Endpoint Protection\14.3.8289.5000.105\Data\Definitions\WebExtDefs\20230830.063\webextbridge.exe*
C:\Windows\system32\cmd.exe /d /c C:\ProgramData\Symantec\Symantec Endpoint Protection\14.3.8*
C:\Windows\system32\cmd.exe /d /c C:\ProgramData\Symantec\Symantec Endpoint Protection\*\webextbridge.exe*

and the top two do not work, the last does. If I make the second one end in 14.3.* then it DOES work.

Not sure what's going on there,

inventsekar · ‎10-01-2023

Hi @VK18 .. please check this post:

https://community.splunk.com/t5/Splunk-Search/Can-we-use-wildcard-characters-in-a-lookup-table/m-p/9...

VK18 · ‎10-03-2023

HI @inventsekar,
I attempted to include a wildcard entry in transforms.conf, but unfortunately, it did not yield any successful results. It appears that Splunk lookup only accommodates wildcards at the start and end of a string and does not function when the wildcard is placed within the string.

Exmaple below where it is working

* webex.com
office*

Example below where it is not working
abc*def*ghi*

Lookup doesn't work with wildcard within strings

configuration

other

Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users

Everything Community at .conf24!

Index This | I’m short for "configuration file.” What am I?