Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to write a rex expression to pull out a specific bit of data?

TorbinIT
Path Finder
‎04-11-2023 06:15 AM

Hello! So I'm trying to write a rex expression to pull out a specific bit of data from this:

<plugin_output>Operating system version = 10.19044 Architecture = x64 Build lab extended = 19041.1.amd64fre.vb_release.191206-1406 </plugin_output>

Specifically I want to extract the Operating System Version as a new field, "Win10Build", but I want only everything after the period, so in this specific example I'd like to have the new field Win10Build=19044.

I've got a rex expression that ALMOST works for this:

| rex field=pluginText (?<Win10Build>\.\d+)

But I haven't figured out how to make it so that it only captures the 5 digits after the period and nothing else. This is just the closest my attempts have gotten. Right now it captures the period and everything after it.

Any suggestions for how I can refine my search? If nothing else I could include an eval command in my search that filters out the periods and just leaves the 5 digit values, but that seems crude and complicated to me and I'd like elegant and simple. If I could just write a rex expression that filters out the period it'd save the search time and effort, right?

Thank you for any replies and for helping me learn!

Labels (2)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎04-11-2023 06:21 AM

You're very close.  Just move the dot out of the capture group.

| rex field=pluginText "\.(?<Win10Build>\d+)"
---
If this reply helps you, Karma would be appreciated.
Reply

TorbinIT
Path Finder
‎04-11-2023 06:27 AM

...I can't believe it was that simple and I missed it. Thank you so much for the help!

Reply
Get Updates on the Splunk Community!

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

Join us on Wed, Dec 10. at 10AM PST / 1PM EST for a live webinar and demo with Splunk experts! Discover how ...

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

If you’re unfamiliar, .conf is Splunk’s premier event where the Splunk community, customers, partners, and ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...