Hello! It's me again!
I'm looking for a way to consolidate multiple different REX commands into a single command. The 4 Rex Expressions I'm working with are:
| rex field=pluginText " Model : (?<Model>.+)"
| rex field=pluginText " Software version : (?<Software_version>.+)"
| rex field=pluginText " Version source : (?<Version_source>.+)"
| rex field=pluginText " Fixed version : (?<Fixed_version>.+)"
Which are all designed to extract data from a single field (pluginText)
The information in plugintext (the input) is as follows:
<plugin_output>
Model : Q6042-E
Software version : 5.55.1.2
Version source : HTTP
Fixed version : 6.50.1.2
</plugin_output>
That's literally everything inside it. What I've done is 4 different REX commands for Model, Software version, Version source, and Fixed version. But now my teacher is asking me to take those 4 REX commands and turn them into one. This is supposed to be complicated because there's carriage returns in the data.
He says I should be able to do this with the \n command, for new line, but I've tried it a couple of times and it's not working in Splunk. Can someone explain how I should go about doing this? Thank you in advance, I will give karma for helping!
Since this is for a teacher, help will be minimal. In Splunk, the sequence [\s\S]+ can be used as a substitute for \n.
| makeresults | eval pluginText="<plugin_output>
Model : Q6042-E
Software version : 5.55.1.2
Version source : HTTP
Fixed version : 6.50.1.2
</plugin_output>"
| rex field=pluginText "Model : (?<Model>.+)\nSoftware version : (?<Software_version>.+)\nVersion source : (?<Version_source>.+)\nFixed version : (?<Fixed_version>.+)"