How to use the Regex to extract the first 2 words OR 3 words from below field values?
Windows 10 Enterprise
Windows 10 Enterprise 64 bit Edition
Windows 2000 Service Pack 3
Windows 2003 R2 Service Pack 2
Windows Server 2003 R2 Service Pack 2
I need:
windows 10
windows 2000
windows 2003
windows server 2003
Like this:
| makeresults
| eval OS="Windows 10 Enterprise
Windows 10 Enterprise 64 bit Edition
Windows 2000 Service Pack 3
Windows 2003 R2 Service Pack 2
Windows Server 2003 R2 Service Pack 2"
| makemv delim="
" OS
| rename COMMENT AS "Everything above creates test events; everything below is your solution"
| rex field=OS mode=sed "s/^(Windows\D+\d+).*$/\1/"
Like this:
| makeresults
| eval OS="Windows 10 Enterprise
Windows 10 Enterprise 64 bit Edition
Windows 2000 Service Pack 3
Windows 2003 R2 Service Pack 2
Windows Server 2003 R2 Service Pack 2"
| makemv delim="
" OS
| rename COMMENT AS "Everything above creates test events; everything below is your solution"
| rex field=OS mode=sed "s/^(Windows\D+\d+).*$/\1/"
This is "future-proof".
I would use:
rex field=_raw "(?<windows_version>Windows (?:Server )?[0-9]{1,4})"
The regex breaks down like this:
Windows - exact match
(?:Server )? - optional match, the space after "Server" but before the close parentheses is important.
[0-9]{1,4} - match from 1 to 4 numeric characters
I wouldn't extract from _raw if you have another field that includes the data, it would save some of the computational cost.
Try this one,
... | rex "(?<OS>[A-Z][a-z]+\s(?:\d{2,}|\w+\s\d{2,}))"
Hope it helps.
Your search... | rex field=Your_OS_Field = "(?^\w*\s[\d]{2,4})"
Hi kiran331,
try something like this
in a command
| rex field=your_field "(?<SO>.*)\s(Enterprise|Service)"
you can test it at
Thanks cusello, Please let me know how to exclude R2 in the fields?
Hi kiran331,
modify regex in this way
Are you sure to exclude R2 from your results? 2008 is really different than 2008/R2!
Hi cusello. That will work if he want a the R2, I think you should append your regex if all he is looking for is up to the version / year number.
Hi kiran331,
try something like this
in a command
| rex field=your_field "(?<SO>.*)\s(Enterprise|Service)"
you can test it at