topic Re: How do I write the regex to capture the database name and major version from my sample data? in Splunk Search

How do I write the regex to capture the database name and major version from my sample data?

vinay4444 — Tue, 24 Nov 2015 14:10:17 GMT

I am struggling with the regex match on the below pattern. I need to capture major version name from below ( DB2 9.7,DB2 10.1 ) . Pretty much first letter till second "." . Any help?

DB2 9.7.10.1
DB2 10.1.4.4
DB2 9.7.600.413
DB2 9.7.9.8

Re: How do I write the regex to capture the database name and major version from my sample data?

sundareshr — Tue, 24 Nov 2015 15:35:53 GMT

Try this

(\w+\s\d+\.\d+)

Re: How do I write the regex to capture the database name and major version from my sample data?

aljohnson_splun — Tue, 24 Nov 2015 15:41:28 GMT

Try this:

| rex "DB2(?<version>\s\d+\.\d+)"

it will be non permanent. and only exist for the single search.

Based on the fact that this is relatively simple regular expression, I will leave some links here to help you learn.

http://regexone.com/ - this is a great interactive tutorial
https://regex101.com/ - test out your regex ! example: https://regex101.com/r/eF7oF2/1
Splunk Regular Expressions - docs are great
Regular Expression Tutorial

Re: How do I write the regex to capture the database name and major version from my sample data?

Sebastian2 — Tue, 24 Nov 2015 15:44:13 GMT

No look all in:

# To extract the Version like "x.y" only:
/DB2\s(\d+\.\d+).*/i
# To extract the whole thing like "DB2 x.y"
/(DB2\s\d+\.\d+).*/i

I have to add, that I'm not sure if this actually fits 100% into Splunk. If you want to extract a field via props.conf it would be something like this:

EXTRACT-major_version = DB2\s(?P<major_version>\d+\.\d+).*

To use a regex inline in a search it would be

... |rex "DB2\s(?<major_version>\d+\.\d+).*"

Re: How do I write the regex to capture the database name and major version from my sample data?

vinay4444 — Tue, 24 Nov 2015 15:51:41 GMT

index=XXXX  | rex field=databaseDbServerVersion "DB2(?\s\d+\.\d+)" | table version

Thanks version now has correct result 10.1,10.5 etc but is there a way to get DB2 10.1 , DB2 9.7 in version

Re: How do I write the regex to capture the database name and major version from my sample data?

vinay4444 — Tue, 24 Nov 2015 15:51:49 GMT

index=XXXX | rex field=databaseDbServerVersion "DB2(?\s\d+.\d+)" | table version

Thanks version now has correct result 10.1,10.5 etc but is there a way to get DB2 10.1 , DB2 9.7 in version

Re: How do I write the regex to capture the database name and major version from my sample data?

aljohnson_splun — Tue, 24 Nov 2015 16:06:29 GMT

Just change

"DB2(?<version>\s\d+\.\d+)"

"(?<version>DB2\s\d+\.\d+)"

Everything inside of the parenthesis is going to be "captured". Everything outside of the parenthesis is going to be "matched".

Re: How do I write the regex to capture the database name and major version from my sample data?

sundareshr — Tue, 24 Nov 2015 16:20:02 GMT

(\w+\s\d+\.\d+) will give you exactly what you asked for.