Splunk Search
Highlighted

Regex help!

Builder

How to use the Regex to extract the first 2 words OR 3 words from below field values?

OS:
Windows 10 Enterprise

Windows 10 Enterprise 64 bit Edition

Windows 2000 Service Pack 3
Windows 2003 R2 Service Pack 2
Windows Server 2003 R2 Service Pack 2

I need:

windows 10
windows 2000
windows 2003
windows server 2003

Tags (1)
0 Karma
Highlighted

Re: Regex help!

Legend

Hi kiran331,
try something like this

(?<SO>.*)\s(Enterprise|Service)

in a command

| rex field=your_field "(?<SO>.*)\s(Enterprise|Service)"

you can test it at https://regex101.com/r/UwejCo/1

Bye.
Giuseppe

0 Karma
Highlighted

Re: Regex help!

Legend

Hi kiran331,
try something like this

(?<SO>.*)\s(Enterprise|Service)

in a command

| rex field=your_field "(?<SO>.*)\s(Enterprise|Service)"

you can test it at https://regex101.com/r/UwejCo/1

Bye.
Giuseppe

0 Karma
Highlighted

Re: Regex help!

Contributor

Hi cusello. That will work if he want a the R2, I think you should append your regex if all he is looking for is up to the version / year number.

0 Karma
Highlighted

Re: Regex help!

Builder

Thanks cusello, Please let me know how to exclude R2 in the fields?

0 Karma
Highlighted

Re: Regex help!

Legend

Hi kiran331,
modify regex in this way

(?U)(?.*)\s+(R2|Service|Enterprise)

Are you sure to exclude R2 from your results? 2008 is really different than 2008/R2!
Bye.
Giuseppe

0 Karma
Highlighted

Re: Regex help!

Contributor

Your search... | rex field=YourOSField = "(?^\w*\s[\d]{2,4})"

0 Karma
Highlighted

Re: Regex help!

Motivator

Try this one,

... | rex  "(?<OS>[A-Z][a-z]+\s(?:\d{2,}|\w+\s\d{2,}))"

Hope it helps.

0 Karma
Highlighted

Re: Regex help!

Communicator

I would use:

rex field=_raw "(?<windows_version>Windows (?:Server )?[0-9]{1,4})"

The regex breaks down like this:
Windows - exact match
(?:Server )? - optional match, the space after "Server" but before the close parentheses is important.
[0-9]{1,4} - match from 1 to 4 numeric characters

I wouldn't extract from _raw if you have another field that includes the data, it would save some of the computational cost.

0 Karma
Highlighted

Re: Regex help!

Esteemed Legend

Like this:

| makeresults 
| eval OS="Windows 10 Enterprise 
Windows 10 Enterprise 64 bit Edition 
Windows 2000 Service Pack 3
Windows 2003 R2 Service Pack 2
Windows Server 2003 R2 Service Pack 2"
| makemv delim="
" OS

| rename COMMENT AS "Everything above creates test events; everything below is your solution"

| rex field=OS mode=sed "s/^(Windows\D+\d+).*$/\1/"

View solution in original post