Splunk Search
Highlighted

How to correct my regex to extract multiple KB number occurrences in a windowsupdate.log, not just the first?

Contributor

I'm using the following regex to extract KB numbers in the windowsupdate.log

| rex "\((?<KB>KB\d+)\)"

It works, but it only extracts the FIRST occurrence of the KB number.

Here is an example log file:

Security Update for Microsoft Word 2013 (KB2910916) 64-Bit Edition - Definition Update for Microsoft Office 2013 (KB2920752) 64-Bit Edition - Security Update for Windows 7 for x64-based Systems (KB3013455)

How do I tell the regex to repeat until the end of the line?

Thanks!
Joe

0 Karma
Highlighted

Re: How to correct my regex to extract multiple KB number occurrences in a windowsupdate.log, not just the first?

SplunkTrust
SplunkTrust

This should do it.

.. | rex max_match=0 "\((?<KB>KB\d+)\)" | ...

The KB field will be multivalued so you'll have to use the mv* functions to extract each value.

---
If this reply helps you, an upvote would be appreciated.

View solution in original post

Highlighted

Re: How to correct my regex to extract multiple KB number occurrences in a windowsupdate.log, not just the first?

Contributor

Perfect! Thanks so much!!!