https://community.splunk.com/t5/Splunk-Search/Extracting-using-rex/m-p/513467#M144071 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/223860">@rkris</a>&nbsp;, use the below query to get all three&nbsp;<SPAN>"Possible NewApt.Worm - gadget.exe",&nbsp; "Possible Y2K Zelu Trojan", and "Possible NewApt.Worm - baby.exe" from the logs.</SPAN></P><LI-CODE lang="markup">source="General-linux-sql.log" sourcetype="Linux" ("Possible NewApt.Worm - gadget.exe" OR "Possible Y2K Zelu Trojan" OR "Possible NewApt.Worm - baby.exe")</LI-CODE><P>&nbsp;</P> Tue, 11 Aug 2020 00:10:23 GMT impurush 2020-08-11T00:10:23Z https://community.splunk.com/t5/Splunk-Search/Extracting-using-rex/m-p/513439#M144056 <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="splunk_qns8_p1.PNG" style="width: 492px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/10183i93230AD5B5B4175B/image-dimensions/492x16?v=v2" width="492" height="16" role="button" title="splunk_qns8_p1.PNG" alt="splunk_qns8_p1.PNG" /></span></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="splunk_qns8_p2.PNG" style="width: 486px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/10184i974E981B9C095413/image-dimensions/486x17?v=v2" width="486" height="17" role="button" title="splunk_qns8_p2.PNG" alt="splunk_qns8_p2.PNG" /></span></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="splunk_qns8_p3.PNG" style="width: 492px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/10185i70973F00986A852E/image-dimensions/492x16?v=v2" width="492" height="16" role="button" title="splunk_qns8_p3.PNG" alt="splunk_qns8_p3.PNG" /></span></P><P>How do I use rex to extract the virus info so that I can display this info in my splunk dashboard?</P> Mon, 10 Aug 2020 20:37:52 GMT https://community.splunk.com/t5/Splunk-Search/Extracting-using-rex/m-p/513439#M144056 rkris 2020-08-10T20:37:52Z https://community.splunk.com/t5/Splunk-Search/Extracting-using-rex/m-p/513443#M144058 <P>Hi,</P><P>Do you want to get that "Virus" word in a separate field using rex command<BR />or do you want to show the log details in the dashboard which has a virus word?</P> Mon, 10 Aug 2020 20:44:18 GMT https://community.splunk.com/t5/Splunk-Search/Extracting-using-rex/m-p/513443#M144058 impurush 2020-08-10T20:44:18Z https://community.splunk.com/t5/Splunk-Search/Extracting-using-rex/m-p/513445#M144059 <P>Hi</P><P>getting the end of line after VIRUS - try the next</P><P>&nbsp;</P><LI-CODE lang="java">index=&lt;YOUR INDEX HERE&gt; source="General-linux-sql.log" sourcetype="Linux" Virus | rex "\s+VIRUS\s+-\s+(?&lt;virusDescription&gt;.*)" | table _time virusDescription</LI-CODE><P>&nbsp;</P><P>r. Ismo&nbsp;</P> Tue, 11 Aug 2020 05:42:27 GMT https://community.splunk.com/t5/Splunk-Search/Extracting-using-rex/m-p/513445#M144059 isoutamo 2020-08-11T05:42:27Z https://community.splunk.com/t5/Splunk-Search/Extracting-using-rex/m-p/513457#M144066 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/44228">@impurush</a>&nbsp; Hi. I just want to get "Possible NewApt.Worm - gadget.exe",&nbsp; "Possible Y2K Zelu Trojan", and "Possible NewApt.Worm - baby.exe"</P> Mon, 10 Aug 2020 22:27:27 GMT https://community.splunk.com/t5/Splunk-Search/Extracting-using-rex/m-p/513457#M144066 rkris 2020-08-10T22:27:27Z https://community.splunk.com/t5/Splunk-Search/Extracting-using-rex/m-p/513461#M144068 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/214410">@isoutamo</a>&nbsp;</P><P>I need to put the following line first as this is where i'll be retrieving my info from</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="splunk_qns9_p1.PNG" style="width: 394px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/10188iC81E48B2AB482BCF/image-dimensions/394x66?v=v2" width="394" height="66" role="button" title="splunk_qns9_p1.PNG" alt="splunk_qns9_p1.PNG" /></span></P><P>So do i add your code after this line?</P> Mon, 10 Aug 2020 22:36:19 GMT https://community.splunk.com/t5/Splunk-Search/Extracting-using-rex/m-p/513461#M144068 rkris 2020-08-10T22:36:19Z https://community.splunk.com/t5/Splunk-Search/Extracting-using-rex/m-p/513467#M144071 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/223860">@rkris</a>&nbsp;, use the below query to get all three&nbsp;<SPAN>"Possible NewApt.Worm - gadget.exe",&nbsp; "Possible Y2K Zelu Trojan", and "Possible NewApt.Worm - baby.exe" from the logs.</SPAN></P><LI-CODE lang="markup">source="General-linux-sql.log" sourcetype="Linux" ("Possible NewApt.Worm - gadget.exe" OR "Possible Y2K Zelu Trojan" OR "Possible NewApt.Worm - baby.exe")</LI-CODE><P>&nbsp;</P> Tue, 11 Aug 2020 00:10:23 GMT https://community.splunk.com/t5/Splunk-Search/Extracting-using-rex/m-p/513467#M144071 impurush 2020-08-11T00:10:23Z https://community.splunk.com/t5/Splunk-Search/Extracting-using-rex/m-p/513485#M144075 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/44228">@impurush</a>&nbsp;</P><P>Is there a way for me to group them all into a table?</P> Tue, 11 Aug 2020 02:36:00 GMT https://community.splunk.com/t5/Splunk-Search/Extracting-using-rex/m-p/513485#M144075 rkris 2020-08-11T02:36:00Z https://community.splunk.com/t5/Splunk-Search/Extracting-using-rex/m-p/513486#M144076 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/223860">@rkris</a>&nbsp;, you can try this</P><LI-CODE lang="markup">source="General-linux-sql.log" sourcetype="Linux" ("Possible NewApt.Worm - gadget.exe" OR "Possible Y2K Zelu Trojan" OR "Possible NewApt.Worm - baby.exe") |rex field=_raw "Virus\s-\s(?&lt;virus_name&gt;.*)" | table _time,virus_name</LI-CODE><P>&nbsp;</P> Tue, 11 Aug 2020 02:59:27 GMT https://community.splunk.com/t5/Splunk-Search/Extracting-using-rex/m-p/513486#M144076 impurush 2020-08-11T02:59:27Z https://community.splunk.com/t5/Splunk-Search/Extracting-using-rex/m-p/513501#M144077 <P>Yes add it to after those. You should always add at least</P><P>index=&lt;your index&gt; sourcetype=&lt;your sourcetype&gt; source=&lt;your source&gt; when you are looking events. And in this case add also word “Virus” as it would be on your each event.&nbsp;<BR />That way your query is more powerful, quicker and use less resources.</P><P>I updated my previous example to contain these.</P><P><BR />r. &nbsp;Ismo</P> Tue, 11 Aug 2020 05:43:16 GMT https://community.splunk.com/t5/Splunk-Search/Extracting-using-rex/m-p/513501#M144077 isoutamo 2020-08-11T05:43:16Z