Solved: How to extract OS using Regex?

Akmal57 · ‎09-27-2023

Hi, i have lookup which list out all red hat linux. for example, in my lookup have red hat 7, red hat 8 and so on.
i need to correlate OS log with the lookup. but my OS log is not standardized as below:

Red Hat Linux Enterprise 7.1,

Red Hat Linux Enterprise Server 8.6 and so on.

How do i make it as standardized OS as lookup above using regex.

Please assist on this. Thank you

yuanliu · ‎09-28-2023

but for example there is some os log, the red hat are in middle,
example: Linux(Red Hat Linux Enterprise 7.1) and Linux(Red Hat Linux Enterprise) 8.6

You mean multiple OS's can appear in the same line? (The above regex doesn't anchor to any position, so the first search shouldn't matter whether it is in the middle.) For this, you can add max_match=0 and use mvzip.

| rex field=os max_match=0 "(?<os_family>Red Hat|Utunbu|Fedora|SuSE)\D+(?<os_maj>\d+)"
| eval os_standard = mvzip(os_family, os_maj, " ")

Here is an emulation that you can play with and compare with real data

| makeresults
| eval os = mvappend("Linux(Red Hat Linux Enterprise 7.1) and Linux(Red Hat Linux Enterprise) 8.6",
"Red Hat Linux Enterprise 7.1", "Red Hat Linux Enterprise Server 8.6")
| mvexpand os
``` data emulation above ```

View solution in original post

inventsekar · ‎10-03-2023

Hi All... Splunk newbie learning videos, for absolute beginners:
https://www.youtube.com/@SiemNewbies101/playlists

i have created around 30 small videos on rex particularly.. pls check the playlist, thanks.

Akmal57 · ‎10-03-2023

Hi @yuanliu, its working excellent. Thank you for your assist.

yuanliu · ‎09-27-2023

It really depends on how you design your "standardized OS". Without a definition, there is no definitive answer. Make no mistake, there are as many ways to "standardize" OS as there are OS's.

If all you need is an OS family name and a major release, and assuming the operating system's full name is in field os. You can do

| rex field=os "(?<os_family>Red Hat|Utunbu|Fedora|SuSE)\D+(?<os_maj>\d+)"
| eval os_standard = os_family . " " . os_maj

Alternatively,

| eval os_standard = replace(os, "(Red Hat|Utunbu|Fedora|SuSE)\D+(?<os_maj>\d+).*", "\1 \2")

or

| rex field=os mode=sed "s/(Red Hat|Utunbu|Fedora|SuSE)\D+(\d+).*/\1 \2/"

Hope this helps.

Akmal57 · ‎09-27-2023

Hi @yuanliu, both working perfectly.

but for example there is some os log, the red hat are in middle,

example: Linux(Red Hat Linux Enterprise 7.1) and Linux(Red Hat Linux Enterprise) 8.6

for above log, the regex also detect the linux.

can you assist on regex that cover only red hat and version of it?

also i have same issue on the windows server log which need regex for only detect windows server and which year.

yuanliu · ‎09-28-2023

but for example there is some os log, the red hat are in middle,
example: Linux(Red Hat Linux Enterprise 7.1) and Linux(Red Hat Linux Enterprise) 8.6

You mean multiple OS's can appear in the same line? (The above regex doesn't anchor to any position, so the first search shouldn't matter whether it is in the middle.) For this, you can add max_match=0 and use mvzip.

| rex field=os max_match=0 "(?<os_family>Red Hat|Utunbu|Fedora|SuSE)\D+(?<os_maj>\d+)"
| eval os_standard = mvzip(os_family, os_maj, " ")

Here is an emulation that you can play with and compare with real data

| makeresults
| eval os = mvappend("Linux(Red Hat Linux Enterprise 7.1) and Linux(Red Hat Linux Enterprise) 8.6",
"Red Hat Linux Enterprise 7.1", "Red Hat Linux Enterprise Server 8.6")
| mvexpand os
``` data emulation above ```

How to extract OS using Regex?

regex

rex

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...