topic Table using regex in Splunk Search

Table using regex

VRP136 — Thu, 29 Aug 2024 19:01:13 GMT

Below is my raw log

[08/28/2024 08:14:50] Current Device Info ... ****************************************************************************** Current Mode: Skull Teams Current Device name: xxxxx Crestron Package Environment version :1.00.00.004 Crestron Package Firmware version :1.17.00.040 Crestron Package Flex-Hub version :1.3.0127.00204 Crestron Package HD-CONV-USB-200 version :009.051

I want extract only : Crestron Package Firmware version :xx.xx.xxx

I wrote a query like bleow , but not working , pls help

index=123 sourcetype = teams | search "Crestron Package Firmware version :" | rex field=_raw ":\s+(?<CCSFirmware>.*?)$" | eval Time(utc)=strftime(_time, "%y-%m-%d %H:%M:%S") | table host Time(utc) CCSFirmware

Re: Table using regex

ITWhisperer — Wed, 28 Aug 2024 15:18:44 GMT

Try something like this

index=123 sourcetype = teams | search "Crestron Package Firmware version :" | rex field=_raw "Crestron Package Firmware version :\s+(?<CCSFirmware>\S*?)" | eval Time(utc)=strftime(_time, "%y-%m-%d %H:%M:%S") | table host Time(utc) CCSFirmware

Re: Table using regex

VRP136 — Thu, 29 Aug 2024 13:22:41 GMT

No luck ,

Re: Table using regex

dural_yyz24 — Thu, 29 Aug 2024 15:38:31 GMT

Try this inside the quotes

Crestron Package Firmware version :(?<CCSFirmware>[^\s]+)

Re: Table using regex

ITWhisperer — Thu, 29 Aug 2024 18:12:37 GMT

Looks like there may not be a space after the colon so use * instead of +

| rex field=_raw "Crestron Package Firmware version :\s*(?<CCSFirmware>\S*?)"

It would help if you share your event data in a code block so that formatting e.g. spaces are preserved

Re: Table using regex

VRP136 — Thu, 29 Aug 2024 19:47:13 GMT

This worked , Thank you so much @dural_yyz24