Solved: Regex to extract whole line from raw data

nm8181 · ‎05-25-2021

Hello,

I am trying to extract the full line from the raw data log matching a pattern in the line. Sample data:

blah blah

24 packages updated on 5th may 2021 3:00 pm

blah blah

I am able to use a regex to extract everything after a pattern lets say "packages updated" using the below regex, but I am not able to extract the full line including the number (24 in this case) in the beginning of the line.

base search

| rex field=_raw "(?m)packages updated\s(?<pkg_count>.*)"

With this above regex, I get a new field named pkg_count with value of = on 5th may 2021 3:00 pm

But I'd like to get a field with the full line "24 packages updated on 5th may 2021 3:00 pm"

Thanks!

richgalloway · ‎05-25-2021

You're close. Try this command

| rex field=_raw "(?<pkg_count>\d+)\s+packages updated\s(?<pkg_date>.*)"

The (?m) flag is not needed.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

nm8181 · ‎05-26-2021

Perfect. Thank you!

richgalloway · ‎05-25-2021

You're close. Try this command

| rex field=_raw "(?<pkg_count>\d+)\s+packages updated\s(?<pkg_date>.*)"

The (?m) flag is not needed.

---
If this reply helps you, Karma would be appreciated.

Regex to extract whole line from raw data

field extraction

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?