https://community.splunk.com/t5/Splunk-Search/How-to-extract-OS-using-Regex/m-p/659524#M227712 <P>Hi All...&nbsp;Splunk newbie learning videos, for absolute beginners:<BR /><A href="https://www.youtube.com/@SiemNewbies101/playlists" target="_blank">https://www.youtube.com/@SiemNewbies101/playlists</A></P><P>i have created around 30 small videos on rex particularly.. pls check the playlist, thanks.&nbsp;</P> Wed, 04 Oct 2023 02:04:56 GMT inventsekar 2023-10-04T02:04:56Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-OS-using-Regex/m-p/658930#M227572 <P><SPAN>Hi, i have lookup which list out all red hat linux. for example, in my lookup have red hat 7, red hat 8 and so on.</SPAN><BR /><SPAN>i need to correlate OS log with the lookup. but my OS log is not standardized as below:</SPAN></P> <P><SPAN>Red Hat Linux Enterprise 7.1,</SPAN></P> <P><SPAN>Red Hat Linux Enterprise Server 8.6 and so on. </SPAN></P> <P><SPAN>How do i make it as standardized OS as lookup above using regex.</SPAN></P> <P>Please assist on this. Thank you</P> Mon, 02 Oct 2023 17:27:55 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-OS-using-Regex/m-p/658930#M227572 Akmal57 2023-10-02T17:27:55Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-OS-using-Regex/m-p/658931#M227573 <P>It really depends on how you design your "standardized OS". &nbsp;Without a definition, there is no definitive answer. &nbsp;Make no mistake, there are as many ways to "standardize" OS as there are OS's.</P><P>If all you need is an OS family name and a major release, and assuming the operating system's full name is in field os. &nbsp;You can do</P><LI-CODE lang="markup">| rex field=os "(?&lt;os_family&gt;Red Hat|Utunbu|Fedora|SuSE)\D+(?&lt;os_maj&gt;\d+)" | eval os_standard = os_family . " " . os_maj</LI-CODE><P>Alternatively,</P><LI-CODE lang="markup">| eval os_standard = replace(os, "(Red Hat|Utunbu|Fedora|SuSE)\D+(?&lt;os_maj&gt;\d+).*", "\1 \2")</LI-CODE><P>or</P><LI-CODE lang="markup">| rex field=os mode=sed "s/(Red Hat|Utunbu|Fedora|SuSE)\D+(\d+).*/\1 \2/"</LI-CODE><P>Hope this helps.</P> Thu, 28 Sep 2023 05:34:17 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-OS-using-Regex/m-p/658931#M227573 yuanliu 2023-09-28T05:34:17Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-OS-using-Regex/m-p/658939#M227576 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/33901">@yuanliu</a>, both working perfectly.</P><P>but for example there is some os log, the red hat are in middle,</P><P>example: Linux(Red Hat Linux Enterprise 7.1) and&nbsp;Linux(Red Hat Linux Enterprise) 8.6</P><P>for above log, the regex also detect the linux.</P><P>can you assist on regex that cover only red hat and version of it?</P><P>also i have same issue on the windows server log which need regex for only detect windows server and which year.</P><P>&nbsp;</P> Thu, 28 Sep 2023 06:25:34 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-OS-using-Regex/m-p/658939#M227576 Akmal57 2023-09-28T06:25:34Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-OS-using-Regex/m-p/659025#M227603 <BLOCKQUOTE><HR />but for example there is some os log, the red hat are in middle,<P>example: Linux(Red Hat Linux Enterprise 7.1) and&nbsp;Linux(Red Hat Linux Enterprise) 8.6</P><HR /></BLOCKQUOTE><P>You mean multiple OS's can appear in the same line? (The above regex doesn't anchor to any position, so the first search shouldn't matter whether it is in the middle.) &nbsp;For this, you can add max_match=0 and use <A href="https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/MultivalueEvalFunctions#mvzip.28.26lt.3Bmv_left.26gt.3B.2C.26lt.3Bmv_right.26gt.3B.2C.26lt.3Bdelim.26gt.3B.29" target="_blank" rel="noopener">mvzip</A>.</P><LI-CODE lang="markup">| rex field=os max_match=0 "(?&lt;os_family&gt;Red Hat|Utunbu|Fedora|SuSE)\D+(?&lt;os_maj&gt;\d+)" | eval os_standard = mvzip(os_family, os_maj, " ")</LI-CODE><P>Here is an emulation that you can play with and compare with real data</P><LI-CODE lang="markup">| makeresults | eval os = mvappend("Linux(Red Hat Linux Enterprise 7.1) and Linux(Red Hat Linux Enterprise) 8.6", "Red Hat Linux Enterprise 7.1", "Red Hat Linux Enterprise Server 8.6") | mvexpand os ``` data emulation above ```</LI-CODE><P>&nbsp;</P> Fri, 29 Sep 2023 02:11:06 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-OS-using-Regex/m-p/659025#M227603 yuanliu 2023-09-29T02:11:06Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-OS-using-Regex/m-p/659522#M227711 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/33901">@yuanliu</a>, its working excellent. Thank you for your assist.</P> Wed, 04 Oct 2023 01:52:44 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-OS-using-Regex/m-p/659522#M227711 Akmal57 2023-10-04T01:52:44Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-OS-using-Regex/m-p/659524#M227712 <P>Hi All...&nbsp;Splunk newbie learning videos, for absolute beginners:<BR /><A href="https://www.youtube.com/@SiemNewbies101/playlists" target="_blank">https://www.youtube.com/@SiemNewbies101/playlists</A></P><P>i have created around 30 small videos on rex particularly.. pls check the playlist, thanks.&nbsp;</P> Wed, 04 Oct 2023 02:04:56 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-OS-using-Regex/m-p/659524#M227712 inventsekar 2023-10-04T02:04:56Z