Splunk Search

Table using regex

VRP136
Engager

Below is my raw log

 

[08/28/2024 08:14:50] Current Device Info ... ****************************************************************************** Current Mode: Skull Teams Current Device name: xxxxx  Crestron Package Environment version :1.00.00.004 Crestron Package Firmware version :1.17.00.040 Crestron Package Flex-Hub version :1.3.0127.00204 Crestron Package HD-CONV-USB-200 version :009.051 

 

I want extract only  : Crestron Package Firmware version :xx.xx.xxx 

I wrote a query like bleow , but not working , pls help

index=123 sourcetype = teams
| search "Crestron Package Firmware version :"
| rex field=_raw ":\s+(?<CCSFirmware>.*?)$"
| eval Time(utc)=strftime(_time, "%y-%m-%d %H:%M:%S")
| table host Time(utc) CCSFirmware

 

Labels (1)
0 Karma
1 Solution

dural_yyz24
Explorer

Try this inside the quotes

 

Crestron Package Firmware version :(?<CCSFirmware>[^\s]+)

View solution in original post

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Try something like this

index=123 sourcetype = teams
| search "Crestron Package Firmware version :"
| rex field=_raw "Crestron Package Firmware version :\s+(?<CCSFirmware>\S*?)"
| eval Time(utc)=strftime(_time, "%y-%m-%d %H:%M:%S")
| table host Time(utc) CCSFirmware

VRP136
Engager

No luck , 

VRP136_0-1724937748453.png

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Looks like there may not be a space after the colon so use * instead of +

| rex field=_raw "Crestron Package Firmware version :\s*(?<CCSFirmware>\S*?)"

It would help if you share your event data in a code block so that formatting e.g. spaces are preserved

0 Karma

dural_yyz24
Explorer

Try this inside the quotes

 

Crestron Package Firmware version :(?<CCSFirmware>[^\s]+)

0 Karma

VRP136
Engager

This worked , Thank you so much @dural_yyz24 

0 Karma
Get Updates on the Splunk Community!

AppDynamics Summer Webinars

This summer, our mighty AppDynamics team is cooking up some delicious content on YouTube Live to satiate your ...

SOCin’ it to you at Splunk University

Splunk University is expanding its instructor-led learning portfolio with dedicated Security tracks at .conf25 ...

Credit Card Data Protection & PCI Compliance with Splunk Edge Processor

Organizations handling credit card transactions know that PCI DSS compliance is both critical and complex. The ...