topic Re: Rex expression Puzzle in Splunk Search

Rex expression Puzzle

TorbinIT — Mon, 14 Dec 2020 16:15:07 GMT

Hey, is there anyone there good with rex expressions?

I've been given a task by my boss, to extract 4 new fields from the data in one fiend, pluginText. The data that's currently in pluginText is as follows:

<plugin_output>
Model : Q6042-E
Software version : 5.55.1.2
Version source : HTTP
Fixed version : 6.50.1.2
</plugin_output>

I thought I'd start by just cracking one field and if I can get one, I can sort out the others from that one as a working model. So I figured I'd start with Version source, since the end result I want is for a new field "Version source" to just display 4 letters: "HTTP".

The problem is that it's not working, what I'm trying. I thought THIS might work:

| rex field=pluginID "(?<Version source>\w\w\w\w)"

but it's just giving me an error “Regex: syntax error in subpattern name (missing terminator)”

What am I doing wrong? I'm newbie at rex expressions and reviewing the documents Splunk's put out hasn't helped much.

Re: Rex expression Puzzle

gcusello — Mon, 14 Dec 2020 16:39:50 GMT

Hi @TorbinIT,

if you already extracted the plugin_output field, you could use the following four regexes:

| rex field=plugin_output "Model\s+:\s+(?<Model>[^ ]+)" | rex field=plugin_output "Software\s+version\s+:\s+(?<Software_version>[^ ]+)" | rex field=plugin_output "Version\s+source\s+:\s+(?<Version_source>[^ ]+)" | rex field=plugin_output "Fixed\s+version\s+:\s+(?<Fixed_version>[^ ]+)"

Ciao.

Giuseppe

Re: Rex expression Puzzle

TorbinIT — Mon, 14 Dec 2020 16:49:41 GMT

I hadn't actually extracted a the plugin_output field. What I showed you was literally everything printed in the pluginText field,

This is useful though. How would I go about extracting plugin_output?

Re: Rex expression Puzzle

gcusello — Mon, 14 Dec 2020 16:53:56 GMT

Hi @TorbinIT,

if you didn't already extracted the plugin_output field, you have only to a little modify your regexes:

| rex "Model\s+:\s+(?<Model>[^ ]+)" | rex "Software\s+version\s+:\s+(?<Software_version>[^ ]+)" | rex "Version\s+source\s+:\s+(?<Version_source>[^ ]+)" | rex "Fixed\s+version\s+:\s+(?<Fixed_version>[^ ]+)"

Ciao.

Giuseppe

Re: Rex expression Puzzle

TorbinIT — Mon, 14 Dec 2020 17:03:52 GMT

This makes SO MUCH SENSE. I was looking at it all wrong.

Looking just at "Model" as an example, you're telling Splunk to search for “Model”, then space between it (the \s+) then a : symbol, then MORE space between the : and the next bit (the \s+) which is the identifiable pattern. THEN, you specify the field you’re looking to create, which you're defining as "Software_version".

The only part I'm not understanding still is the [^ ] at the end. Isn't that a command for "no included character"? Are you telling the search to ignore anything spaces in the field and display everything else?

The only other thing worth noting is when i tried your solution, it gave me an output of Q6042-E\n

I don't know where the \n came from

But this is certainly useful! Thank you so very much!

Re: Rex expression Puzzle

gcusello — Mon, 14 Dec 2020 17:11:24 GMT

Hi @TorbinIT,

[^ ] + means: take all the chars until a space, it's an useful way to take all when there aren't spaces in the field values.

Ciao.

Giuseppe

P.S.: karma Points are appreciated 😉

Re: Rex expression Puzzle

youngsuh — Fri, 22 Jan 2021 17:49:43 GMT

Here is what I've done. How to break out the results into individual software correctly in Splunk. Any tips could be helpful. Here is the regex being used for software_name and software_version.

| rex max_match=100 field=pluginText "\n+(?<software_name>[^[].*)\s\s\[version\s\d"
| rex max_match=100 field=pluginText "\s\s\[version\s(?<software_version>[^[]*.)\]"
| stats values(software_name) as software_name values(software_version) as software_version by dest

I'd extracted the text has group of pairs.