Solved: Writing Regex with Lookaheads to Capture Group

nateloepker · ‎02-02-2024

Hello,

I am attempting to write some regex with a lookahead.

My event is

pluginText: <plugin_output>
Here is the list of packages installed on the remote Red Hat Linux system :

libkadm5-1.18.2-26.el8_9|(none) Wed 17 Jan 2024 10:21:40 AM CST
sssd-client-2.9.1-4.el8_9|(none) Wed 03 Jan 2024 06:05:06 AM CST
plugin_id: 22869

I would like to capture everything before the plugin_id and after the "Here is the list of packages installed on the remote Red Hat Linux system :\n\n". So all of the software data. My plan is to first extract everything into a big field and then pipe it to another rex command and use max_mode=0 to extract the software into a MV field.

I am having some trouble implementing this. Help is appreciated

Thank you

Nate

ITWhisperer · ‎02-02-2024

| rex "(?ms)Here is the list of packages installed on the remote Red Hat Linux system :

(?<software>.*?)\nplugin_id"

View solution in original post

ITWhisperer · ‎02-02-2024

| rex "(?ms)Here is the list of packages installed on the remote Red Hat Linux system :

(?<software>.*?)\nplugin_id"

Writing Regex with Lookaheads to Capture Group

rex

Can’t make it to .conf25? Join us online!

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Are you a member of the Splunk Community?

Writing Regex with Lookaheads to Capture Group

rex

Can’t make it to .conf25? Join us online!

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions