• We need to apply process monitoring using a match pattern. The pattern will be found in the process (binary) path. The process names are not known.
• A particular process needs to be monitored when the match pattern is found in the path of the process name. Is there some way that this can be done?

• Release: 20.4
• Component: UIM - PROCESSES
• processes probe v4.70

• need to isolate a process that has the same name using exclusion
• exclude process using REGEX with negative lookahead

In the processes probe, processes can be recognized and monitored by using one of the following:

1. name
2. name + command line
3. binary path, e.g., absolute path of the .exe
4. process identifier (PID)

processes IM configuration

processes AC configuration

All of the fields mentioned above handle regular expression (regex) and pattern matching rules. For more information, see 'Use Regular Expressions' in 'processes Advanced Configuration.'

Some examples of the use of regular expressions (REGEX) are included here in the tech docs:

processes Advanced Configuration

You could try using a regex in the processes' binary path. As an example, an advanced format that uses a REGEX 'AND' Operator to filter on two substrings within the binary path might be:

Format

   /(.*<substring1>.*)(.*<substring2>.*)/

Example

   /(.*jre8u312b07.*)(.*vmware.*)/

Then when the process is present, press the processes Test button to see if it picks up the process, otherwise you would have to wait for the probe to pick it up.

Note that there is an exclusion feature available in IM and AC but it excludes an entire process name and doesn't accept regex.

Regex syntax examples using an exclusion/negative lookahead:

/^(?!.*STRING2).*STRING1.*$/

/^(?!.*STRING5|.*STRING4|.*STRING3|.*STRING2).*STRING1.*$/

Here are some working REGEX examples:

Filter out crtc process entries and only include the single process for card0

/^(?!.*crtc5|.*crtc4|.*crtc1|.*crtc2|.*crtc2).*card0.*$/

Filter out TabTip32 and only include the TabTip process

/^(?!.*TabTip32).*TabTip.*$/

Filter on ALL java processes but none that have UTF-8 in the binary path. This is just meant for testing.

/^(?!.*UTF-8).*java.exe.*$/

Filter on a single java process by excluding strings from the other java processes' binary paths

(Use this format below for isolating a java process)

/^(?!.*UTF-8|.*-Duser|.*ErrorFile|.*-Djava.library.path).*java.exe.*$/

Monitor  all processes matching "splunkd -p <arguments>" but exclude instances where 'alarm_enrichment' appears in the arguments

/splunkd -p(?!.*alarm_enrichment.*).*$/

• Make sure you use the correct process name which could be java.exe, or java, sh, etc.

• You also have to make sure you don't accidentally exclude any string that is already present within the process binary path (the one you're trying to monitor), and that's easy to do by mistake.

• You have to look closely at the name of the process in the path text 'block' and the processes probe doesn't make that very easy when it's very long. You have to scroll over.

• Then be certain you're not excluding a given string within that process's binary path, otherwise, you'll get an empty result (no single process returned in the Test window).

• When you're excluding 1 or more processes you have to look at their binary paths and carefully choose some string that is unique to the process you want to exclude.