Hey guys,
I'm trying to use regular expressions but can't get my head around it. I'm receiving lines such as:
u'C:\\Users\\User\\Downloads\\pyClamd-0.3.4\\SplunkClam\\Virus_txt\\Virus': ('FOUND', 'Eicar-Test-Signature')
u'C:\\Users\\User\\Downloads\\pyClamd-0.3.4\\SplunkClam\\Virus_zip_pass\\Virus.zip': ('FOUND', 'Heuristics.Encrypted.Zip')
u'C:\\Users\\User\\Downloads\\pyClamd-0.3.4\\SplunkClam\\Virus_txt\\Virus': ('FOUND', 'Eicar-Test-Signature')
u'C:\\Users\\User\\Downloads\\pyClamd-0.3.4\\SplunkClam\\pyclamd.pyc': ('FOUND', 'Eicar-Test-Signature-1')
u'C:\\Users\\User\\Downloads\\pyClamd-0.3.4\\SplunkClam\\Virus_zip_pass\\Virus.zip': ('FOUND', 'Heuristics.Encrypted.Zip')
and would like to extract the destination and the ('FOUND' 'VIRUS_NAME') fields separately to create an app. Any help would be greatly appreciated.
Hi SplunkUser5888,
somehting like this should get you started:
YourBaseSearchHere | rex field="_raw" "'(?<myDest>.+)'\:\s\('(?<myFound>.+)'\,\s'(?<myVirus>.+)'" | table myDest, myFound, myVirus
this will create a table of three fields for you:
myDest=C:\\Users\\User\\Downloads\\pyClamd-0.3.4\\SplunkClam\\Virus_zip_pass\\Virus.zip
myFound=FOUND
myVirus=Eicar-Test-Signature-1
cheers, MuS
Hi SplunkUser5888,
somehting like this should get you started:
YourBaseSearchHere | rex field="_raw" "'(?<myDest>.+)'\:\s\('(?<myFound>.+)'\,\s'(?<myVirus>.+)'" | table myDest, myFound, myVirus
this will create a table of three fields for you:
myDest=C:\\Users\\User\\Downloads\\pyClamd-0.3.4\\SplunkClam\\Virus_zip_pass\\Virus.zip
myFound=FOUND
myVirus=Eicar-Test-Signature-1
cheers, MuS
thx and you're welcome
your answer works miles better than my tweak, I've marked this as answered, thank you