Getting Data In

REX Field Extraction Help

TorbinIT
Path Finder

Hello!

I'm working on a Rex Expression for my job, and wanted to ask for some assistance in developing it. I'm supposed to make a rex expression to pull out the "Fixed version" of a piece of software out of a field called "pluginText". Right now the problem is the Rex expression I've made only works half the time.

My Rex expression is currently:

 | rex field=pluginText max_match=0 "\s+Fixed version\s+:\s+(?<FixedVersion>.+)"\n

Here are some relevant examples of the sorts of data I'm working with:

<plugin_output>
   Path        : C:\Program Files\VMware\VMware Tools\VMware VGAuth\libssl-3-x64.dll
   Reported version : 3.0.3.0
   Fixed version : 3.0.4</plugin_output>


and

<plugin_output>
   Path : C:\myPrograms\cygwin64\bin\openssl.exe
   Reported version : 1.1.1.4
   Fixed version : 1.1.1p

  Path : C:\myPrograms\Git\usr\bin\openssl.exe
  Reported version : 1.1.1.9
  Fixed version : 1.1.1p

  Path : C:\myPrograms\Git\mingw64\bin\openssl.exe
  Reported version : 1.1.1.9
  Fixed version : 1.1.1p
</plugin_output>

The Rex expression I made works perfectly on the second example I've provided, but not the first. I'm guessing it's due to the </plugin_output> on it.

Any advice for how I can tweak it to work for both sorts of data? Attached is a visual aid of the first example, for clarity. Thank you in advance!

Labels (1)
0 Karma
1 Solution

isoutamo
SplunkTrust
SplunkTrust

Hi

can you change your regex like 

"\s+Fixed version\s+:\s+(?<FixedVersion>[^\n\r\<]+)"

See https://regex101.com/r/z4DfqM/1

regex101 is excellent place to try those and also debug if needed.

r. Ismo

View solution in original post

isoutamo
SplunkTrust
SplunkTrust

Hi

can you change your regex like 

"\s+Fixed version\s+:\s+(?<FixedVersion>[^\n\r\<]+)"

See https://regex101.com/r/z4DfqM/1

regex101 is excellent place to try those and also debug if needed.

r. Ismo

TorbinIT
Path Finder

This appears to have fixed my problem perfectly! Thank you very much!

0 Karma

TorbinIT
Path Finder

Here's a visual aid of the second example, as well!

0 Karma
Get Updates on the Splunk Community!

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...

New Dates, New City: Save the Date for .conf25!

Wake up, babe! New .conf25 dates AND location just dropped!! That's right, this year, .conf25 is taking place ...

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...