Solved: Re: Regex help!

kiran331 · ‎05-24-2017

How to use the Regex to extract the first 2 words OR 3 words from below field values?

OS:
Windows 10 Enterprise

Windows 10 Enterprise 64 bit Edition

Windows 2000 Service Pack 3
Windows 2003 R2 Service Pack 2
Windows Server 2003 R2 Service Pack 2

I need:

windows 10
windows 2000
windows 2003
windows server 2003

woodcock · ‎05-24-2017

Like this:

| makeresults 
| eval OS="Windows 10 Enterprise 
Windows 10 Enterprise 64 bit Edition 
Windows 2000 Service Pack 3
Windows 2003 R2 Service Pack 2
Windows Server 2003 R2 Service Pack 2"
| makemv delim="
" OS

| rename COMMENT AS "Everything above creates test events; everything below is your solution"

| rex field=OS mode=sed "s/^(Windows\D+\d+).*$/\1/"

View solution in original post

woodcock · ‎05-24-2017

Like this:

| makeresults 
| eval OS="Windows 10 Enterprise 
Windows 10 Enterprise 64 bit Edition 
Windows 2000 Service Pack 3
Windows 2003 R2 Service Pack 2
Windows Server 2003 R2 Service Pack 2"
| makemv delim="
" OS

| rename COMMENT AS "Everything above creates test events; everything below is your solution"

| rex field=OS mode=sed "s/^(Windows\D+\d+).*$/\1/"

woodcock · ‎05-24-2017

This is "future-proof".

wenthold · ‎05-24-2017

I would use:

rex field=_raw "(?<windows_version>Windows (?:Server )?[0-9]{1,4})"

The regex breaks down like this:
Windows - exact match
(?:Server )? - optional match, the space after "Server" but before the close parentheses is important.
[0-9]{1,4} - match from 1 to 4 numeric characters

I wouldn't extract from _raw if you have another field that includes the data, it would save some of the computational cost.

alemarzu · ‎05-24-2017

Try this one,

... | rex  "(?<OS>[A-Z][a-z]+\s(?:\d{2,}|\w+\s\d{2,}))"

Hope it helps.

damiensurat · ‎05-24-2017

Your search... | rex field=Your_OS_Field = "(?^\w*\s[\d]{2,4})"

gcusello · ‎05-24-2017

Hi kiran331,
try something like this

(?<SO>.*)\s(Enterprise|Service)

in a command

| rex field=your_field "(?<SO>.*)\s(Enterprise|Service)"

you can test it at https://regex101.com/r/UwejCo/1

Bye.
Giuseppe

kiran331 · ‎05-24-2017

Thanks cusello, Please let me know how to exclude R2 in the fields?

gcusello · ‎05-24-2017

Hi kiran331,
modify regex in this way

(?U)(?.*)\s+(R2|Service|Enterprise)

Are you sure to exclude R2 from your results? 2008 is really different than 2008/R2!
Bye.
Giuseppe

damiensurat · ‎05-24-2017

Hi cusello. That will work if he want a the R2, I think you should append your regex if all he is looking for is up to the version / year number.

gcusello · ‎05-24-2017

Hi kiran331,
try something like this

(?<SO>.*)\s(Enterprise|Service)

in a command

| rex field=your_field "(?<SO>.*)\s(Enterprise|Service)"

you can test it at https://regex101.com/r/UwejCo/1

Bye.
Giuseppe

Regex help!

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!