Solved: How to correct my regex to extract multiple KB num...

hagjos43 · ‎03-09-2015

I'm using the following regex to extract KB numbers in the windowsupdate.log

| rex "\((?<KB>KB\d+)\)"

It works, but it only extracts the FIRST occurrence of the KB number.

Here is an example log file:

Security Update for Microsoft Word 2013 (KB2910916) 64-Bit Edition - Definition Update for Microsoft Office 2013 (KB2920752) 64-Bit Edition - Security Update for Windows 7 for x64-based Systems (KB3013455)

How do I tell the regex to repeat until the end of the line?

Thanks!
Joe

richgalloway · ‎03-09-2015

This should do it.

.. | rex max_match=0 "\((?<KB>KB\d+)\)" | ...

The KB field will be multivalued so you'll have to use the mv* functions to extract each value.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎03-09-2015

This should do it.

.. | rex max_match=0 "\((?<KB>KB\d+)\)" | ...

The KB field will be multivalued so you'll have to use the mv* functions to extract each value.

---
If this reply helps you, Karma would be appreciated.

hagjos43 · ‎03-09-2015

Perfect! Thanks so much!!!

How to correct my regex to extract multiple KB number occurrences in a windowsupdate.log, not just the first?

Fun with Regular Expression - multiples of nine

[Live Demo] Watch SOC transformation in action with the reimagined Splunk Enterprise ...

What’s New & Next in Splunk SOAR

Are you a member of the Splunk Community?

How to correct my regex to extract multiple KB number occurrences in a windowsupdate.log, not just the first?

Fun with Regular Expression - multiples of nine

[Live Demo] Watch SOC transformation in action with the reimagined Splunk Enterprise ...

What’s New & Next in Splunk SOAR