I have a use case where I need to stop the search triggering when the original process contains a certain dll. In this example MonkeySearch_12345.dll, the five-digit number on the end is a version number that varies. I've tried multiple variations of regex matches, text matches etc and the search will still return all unfiltered results. Was hopeful, someone else had already solved this or knew what I need to add and where to get a filter to work. I'm basically new to Splunk SPL and already past the limits of my knowledge.
This is the original spl.
> | tstats `security_content_summariesonly` count min(_time) as
> firstTime max(_time) as lastTime from datamodel=Endpoint.Processes
> where `process_msiexec` Processes.process IN ("*/z*", "*-z*") by
> Processes.dest Processes.user Processes.parent_process_name
> Processes.process_name Processes.original_file_name Processes.process
> Processes.process_id Processes.parent_process_id |
> `drop_dm_object_name(Processes)` |
> `security_content_ctime(firstTime)` |
> `security_content_ctime(lastTime)` |
> `windows_msiexec_unregister_dllregisterserver_filter`
These are the solutions I've tried and failed on
where NOT like(Processes.original_file_name, "%MonkeySearch_?????.dll")
where NOT like(Processes.oringinal_file_name, "^(.?MonketSearch_\d{5}\.dll)")
where NOT match(Processes.original_file_name, "MonkeySearch_\d{5}\.dll$"
At the moment I'm not even sure I'm evaluating the correct variable/field.