Splunk Search

How to extract OS using Regex?

Akmal57
Path Finder

Hi, i have lookup which list out all red hat linux. for example, in my lookup have red hat 7, red hat 8 and so on.
i need to correlate OS log with the lookup. but my OS log is not standardized as below:

Red Hat Linux Enterprise 7.1,

Red Hat Linux Enterprise Server 8.6 and so on.

How do i make it as standardized OS as lookup above using regex.

Please assist on this. Thank you

Labels (2)
Tags (3)
0 Karma
1 Solution

yuanliu
SplunkTrust
SplunkTrust

but for example there is some os log, the red hat are in middle,

example: Linux(Red Hat Linux Enterprise 7.1) and Linux(Red Hat Linux Enterprise) 8.6


You mean multiple OS's can appear in the same line? (The above regex doesn't anchor to any position, so the first search shouldn't matter whether it is in the middle.)  For this, you can add max_match=0 and use mvzip.

| rex field=os max_match=0 "(?<os_family>Red Hat|Utunbu|Fedora|SuSE)\D+(?<os_maj>\d+)"
| eval os_standard = mvzip(os_family, os_maj, " ")

Here is an emulation that you can play with and compare with real data

| makeresults
| eval os = mvappend("Linux(Red Hat Linux Enterprise 7.1) and Linux(Red Hat Linux Enterprise) 8.6",
"Red Hat Linux Enterprise 7.1", "Red Hat Linux Enterprise Server 8.6")
| mvexpand os
``` data emulation above ```

 

View solution in original post

Tags (1)

inventsekar
SplunkTrust
SplunkTrust

Hi All... Splunk newbie learning videos, for absolute beginners:
https://www.youtube.com/@SiemNewbies101/playlists

i have created around 30 small videos on rex particularly.. pls check the playlist, thanks. 

0 Karma

Akmal57
Path Finder

Hi @yuanliu, its working excellent. Thank you for your assist.

0 Karma

yuanliu
SplunkTrust
SplunkTrust

It really depends on how you design your "standardized OS".  Without a definition, there is no definitive answer.  Make no mistake, there are as many ways to "standardize" OS as there are OS's.

If all you need is an OS family name and a major release, and assuming the operating system's full name is in field os.  You can do

| rex field=os "(?<os_family>Red Hat|Utunbu|Fedora|SuSE)\D+(?<os_maj>\d+)"
| eval os_standard = os_family . " " . os_maj

Alternatively,

| eval os_standard = replace(os, "(Red Hat|Utunbu|Fedora|SuSE)\D+(?<os_maj>\d+).*", "\1 \2")

or

| rex field=os mode=sed "s/(Red Hat|Utunbu|Fedora|SuSE)\D+(\d+).*/\1 \2/"

Hope this helps.

Akmal57
Path Finder

Hi @yuanliu, both working perfectly.

but for example there is some os log, the red hat are in middle,

example: Linux(Red Hat Linux Enterprise 7.1) and Linux(Red Hat Linux Enterprise) 8.6

for above log, the regex also detect the linux.

can you assist on regex that cover only red hat and version of it?

also i have same issue on the windows server log which need regex for only detect windows server and which year.

 

0 Karma

yuanliu
SplunkTrust
SplunkTrust

but for example there is some os log, the red hat are in middle,

example: Linux(Red Hat Linux Enterprise 7.1) and Linux(Red Hat Linux Enterprise) 8.6


You mean multiple OS's can appear in the same line? (The above regex doesn't anchor to any position, so the first search shouldn't matter whether it is in the middle.)  For this, you can add max_match=0 and use mvzip.

| rex field=os max_match=0 "(?<os_family>Red Hat|Utunbu|Fedora|SuSE)\D+(?<os_maj>\d+)"
| eval os_standard = mvzip(os_family, os_maj, " ")

Here is an emulation that you can play with and compare with real data

| makeresults
| eval os = mvappend("Linux(Red Hat Linux Enterprise 7.1) and Linux(Red Hat Linux Enterprise) 8.6",
"Red Hat Linux Enterprise 7.1", "Red Hat Linux Enterprise Server 8.6")
| mvexpand os
``` data emulation above ```

 

Tags (1)
Get Updates on the Splunk Community!

3 Ways to Make OpenTelemetry Even Better

My role as an Observability Specialist at Splunk provides me with the opportunity to work with customers of ...

What's New in Splunk Cloud Platform 9.2.2406?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2406 with many ...

Enterprise Security Content Update (ESCU) | New Releases

In August, the Splunk Threat Research Team had 3 releases of new security content via the Enterprise Security ...