topic Re: Rex for extracting OS types in Splunk Search

Rex for extracting OS types

splgeek — Mon, 21 Nov 2016 15:34:23 GMT

Can someone please help me extract all different OS types from my logs. is there anyway Single rex query i can write to extract all possible OStypes

I see - Windows NT, MAC OS, Linux Android 6.0, Linux Android 7.0, ,there are few more
See sample logs

"Login","XXXX","XXXXX","XXXX","XXXXX","435","66","XXXXX","/index.jsp","","","","XXXX","XXXX","Mozilla/5.0 (Linux; Android 6.0.1; SM-G900V Build/MMB29M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/XXXXX Mobile Safari/XXX","","9998.0","","XXXX","XXXXX","2016-11-17T23:59:CSCS","XXXXX",""

--

"Login","XCCXC","XXXX-XXXX-","XXX","XXX","155","12","XXXX","/services/oauth2/token","","","","XXXX","XXXX","SalesforceMobileSDK/3.1.0 android mobile/6.0.1 (SM-G900V) Salesforce1/XXX Native","","XXXXX","","XCXc","XXX-XXX-XXX-GCM-XXX","2016-11-17ScT23:59:SCSCSc","XXX",""

----

Re: Rex for extracting OS types

richgalloway — Mon, 21 Nov 2016 16:04:01 GMT

This answer may help.

Re: Rex for extracting OS types

splgeek — Mon, 21 Nov 2016 16:26:57 GMT

as a refresher could you /anyone give me the spl query with rex/regex to extract these OS types with a field label name as Ostype

I cannot install any TA's for this

Re: Rex for extracting OS types

chimell — Mon, 21 Nov 2016 16:40:07 GMT

Hi splgeek
The following search code give you : Linux; Android 6.0.1;

index="your index_name"|rex field=_raw "(?<myfield>[\w+\;\s+\w+\s+\.\d+]+\;)"|table myfield

Re: Rex for extracting OS types

splgeek — Mon, 21 Nov 2016 16:41:09 GMT

thanks
so thats just for extracting linux?
is there anyway to extract them all with 1 query?

Re: Rex for extracting OS types

chimell — Mon, 21 Nov 2016 16:43:31 GMT

Please can you extend your sample logs , for permitting me to see well your events ?

Re: Rex for extracting OS types

chimell — Mon, 21 Nov 2016 16:44:04 GMT

i need to see well before extracting