How to use the Regex to extract the first 2 words OR 3 words from below field values?
OS:
Windows 10 Enterprise
Windows 10 Enterprise 64 bit Edition
Windows 2000 Service Pack 3
Windows 2003 R2 Service Pack 2
Windows Server 2003 R2 Service Pack 2
I need:
windows 10
windows 2000
windows 2003
windows server 2003
Like this:
| makeresults
| eval OS="Windows 10 Enterprise
Windows 10 Enterprise 64 bit Edition
Windows 2000 Service Pack 3
Windows 2003 R2 Service Pack 2
Windows Server 2003 R2 Service Pack 2"
| makemv delim="
" OS
| rename COMMENT AS "Everything above creates test events; everything below is your solution"
| rex field=OS mode=sed "s/^(Windows\D+\d+).*$/\1/"
Like this:
| makeresults
| eval OS="Windows 10 Enterprise
Windows 10 Enterprise 64 bit Edition
Windows 2000 Service Pack 3
Windows 2003 R2 Service Pack 2
Windows Server 2003 R2 Service Pack 2"
| makemv delim="
" OS
| rename COMMENT AS "Everything above creates test events; everything below is your solution"
| rex field=OS mode=sed "s/^(Windows\D+\d+).*$/\1/"
This is "future-proof".
I would use:
rex field=_raw "(?<windows_version>Windows (?:Server )?[0-9]{1,4})"
The regex breaks down like this:
Windows - exact match
(?:Server )? - optional match, the space after "Server" but before the close parentheses is important.
[0-9]{1,4} - match from 1 to 4 numeric characters
I wouldn't extract from _raw if you have another field that includes the data, it would save some of the computational cost.
Try this one,
... | rex "(?<OS>[A-Z][a-z]+\s(?:\d{2,}|\w+\s\d{2,}))"
Hope it helps.
Your search... | rex field=Your_OS_Field = "(?^\w*\s[\d]{2,4})"
Hi kiran331,
try something like this
(?<SO>.*)\s(Enterprise|Service)
in a command
| rex field=your_field "(?<SO>.*)\s(Enterprise|Service)"
you can test it at https://regex101.com/r/UwejCo/1
Bye.
Giuseppe
Thanks cusello, Please let me know how to exclude R2 in the fields?
Hi kiran331,
modify regex in this way
(?U)(?.*)\s+(R2|Service|Enterprise)
Are you sure to exclude R2 from your results? 2008 is really different than 2008/R2!
Bye.
Giuseppe
Hi cusello. That will work if he want a the R2, I think you should append your regex if all he is looking for is up to the version / year number.
Hi kiran331,
try something like this
(?<SO>.*)\s(Enterprise|Service)
in a command
| rex field=your_field "(?<SO>.*)\s(Enterprise|Service)"
you can test it at https://regex101.com/r/UwejCo/1
Bye.
Giuseppe