Solved: How do I edit the syntax for my rex expression to ...

rgcox1 · ‎10-13-2015

Can't get the following to work:

rex field=updateTitle  "(?<patch>)KB\d*+"

Sample text:

Security Update for Lync 2010 X64 (KB3081087â€‹)
Security Update for Microsoft Office 2010 (KB3054965) 32-Bit Edition
Update for Microsoft Office 2010 (KB3055042) 32-Bit Edition
Windows Malicious Software Removal Tool x64 - September 2015 (KB890830)
Update for Microsoft PowerPoint 2010 (KB3085513) 32-Bit Edition
Update for Microsoft Office 2010 (KB3055047) 32-Bit Edition
Security Update for Microsoft .NET Framework 4.5, 4.5.1 and 4.5.2 on Windows 7, Vista, Server 2008, Server 2008 R2 x64 (KB3074550)

somesoni2 · ‎10-13-2015

Try like this

rex field=updateTitle "(?<patch>KB\d+)"

OR

rex field=updateTitle "((?KB\d+)"

View solution in original post

somesoni2 · ‎10-13-2015

Try like this

rex field=updateTitle "(?<patch>KB\d+)"

OR

rex field=updateTitle "((?KB\d+)"

rgcox1 · ‎10-13-2015

Thx. Moving closing paren to end worked:

 rex field=updateTitle  "(?<KBnum>KB\d*+)"

How do I edit the syntax for my rex expression to extract the field from my sample data?

What the End of Support for Splunk Add-on Builder Means for You

Solve, Learn, Repeat: New Puzzle Channel Now Live

Building Reliable Asset and Identity Frameworks in Splunk ES

Are you a member of the Splunk Community?

How do I edit the syntax for my rex expression to extract the field from my sample data?

What the End of Support for Splunk Add-on Builder Means for You

Solve, Learn, Repeat: New Puzzle Channel Now Live

Building Reliable Asset and Identity Frameworks in Splunk ES