Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Rex expression Puzzle

TorbinIT
Path Finder
‎12-14-2020 08:15 AM

Hey, is there anyone there good with rex expressions?

I've been given a task by my boss, to extract 4 new fields from the data in one fiend, pluginText. The data that's currently in pluginText is as follows:

<plugin_output>
Model : Q6042-E
Software version : 5.55.1.2
Version source : HTTP
Fixed version : 6.50.1.2
</plugin_output>

I thought I'd start by just cracking one field and if I can get one, I can sort out the others from that one as a working model. So I figured I'd start with Version source, since the end result I want is for a new field "Version source" to just display 4 letters: "HTTP". 

The problem is that it's not working, what I'm trying. I thought THIS might work:

| rex field=pluginID "(?<Version source>\w\w\w\w)"

but it's just giving me an error “Regex: syntax error in subpattern name (missing terminator)”

What am I doing wrong? I'm newbie at rex expressions and reviewing the documents Splunk's put out hasn't helped much. 

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎12-14-2020 08:53 AM

Hi @TorbinIT,

if you didn't already extracted the plugin_output field, you have only to a little modify your regexes:

| rex "Model\s+:\s+(?<Model>[^ ]+)"
| rex "Software\s+version\s+:\s+(?<Software_version>[^ ]+)"
| rex "Version\s+source\s+:\s+(?<Version_source>[^ ]+)"
| rex "Fixed\s+version\s+:\s+(?<Fixed_version>[^ ]+)"

 Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎12-14-2020 08:39 AM

Hi @TorbinIT,

if you already extracted the plugin_output field, you could use the following four regexes:

| rex field=plugin_output "Model\s+:\s+(?<Model>[^ ]+)"
| rex field=plugin_output "Software\s+version\s+:\s+(?<Software_version>[^ ]+)"
| rex field=plugin_output "Version\s+source\s+:\s+(?<Version_source>[^ ]+)"
| rex field=plugin_output "Fixed\s+version\s+:\s+(?<Fixed_version>[^ ]+)"

Ciao.

Giuseppe

Reply
Solved! Jump to solution

TorbinIT
Path Finder
‎12-14-2020 08:49 AM

I hadn't actually extracted a the plugin_output field. What I showed you was literally everything printed in the pluginText field, 

This is useful though. How would I go about extracting plugin_output?

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎12-14-2020 08:53 AM

Hi @TorbinIT,

if you didn't already extracted the plugin_output field, you have only to a little modify your regexes:

| rex "Model\s+:\s+(?<Model>[^ ]+)"
| rex "Software\s+version\s+:\s+(?<Software_version>[^ ]+)"
| rex "Version\s+source\s+:\s+(?<Version_source>[^ ]+)"
| rex "Fixed\s+version\s+:\s+(?<Fixed_version>[^ ]+)"

 Ciao.

Giuseppe

Reply
Solved! Jump to solution

youngsuh
Contributor
‎01-21-2021 05:45 PM

 

Here is what I've done.  How to break out the results into individual software correctly in Splunk.  Any tips could be helpful.  Here is the regex being used for software_name and software_version.

| rex max_match=100 field=pluginText "\n+(?<software_name>[^[].*)\s\s\[version\s\d"
| rex max_match=100 field=pluginText "\s\s\[version\s(?<software_version>[^[]*.)\]"
| stats values(software_name) as software_name values(software_version) as software_version by dest

I'd extracted the text has group of pairs.I'd extracted the text has group of pairs.

Reply
Solved! Jump to solution

TorbinIT
Path Finder
‎12-14-2020 09:03 AM

This makes SO MUCH SENSE. I was looking at it all wrong. 

Looking just at "Model" as an example, you're telling Splunk to search for “Model”, then space between it (the \s+) then a : symbol, then MORE space between the : and the next bit (the \s+) which is the identifiable pattern. THEN, you specify the field you’re looking to create, which you're defining as "Software_version".

The only part I'm not understanding still is the [^ ] at the end. Isn't that a command for "no included character"? Are you telling the search to ignore anything spaces in the field and display everything else?

The only other thing worth noting is when i tried your solution, it gave me an output of Q6042-E\n

I don't know where the \n came from

But this is certainly useful! Thank you so very much!

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎12-14-2020 09:11 AM

Hi @TorbinIT,

 [^ ] + means: take all the chars until a space, it's an useful way to take all when there aren't spaces in the field values.

Ciao.

Giuseppe

P.S.: karma Points are appreciated 😉

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...

SplunkTrust Application Period is Officially OPEN!

It's that time, folks! The application/nomination period for the 2026-2027 SplunkTrust is officially open. If ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...