Solved: Writing Regex with Lookaheads to Capture Group

nateloepker · ‎02-02-2024

Hello,

I am attempting to write some regex with a lookahead.

My event is

pluginText: <plugin_output>
Here is the list of packages installed on the remote Red Hat Linux system :

libkadm5-1.18.2-26.el8_9|(none) Wed 17 Jan 2024 10:21:40 AM CST
sssd-client-2.9.1-4.el8_9|(none) Wed 03 Jan 2024 06:05:06 AM CST
plugin_id: 22869

I would like to capture everything before the plugin_id and after the "Here is the list of packages installed on the remote Red Hat Linux system :\n\n". So all of the software data. My plan is to first extract everything into a big field and then pipe it to another rex command and use max_mode=0 to extract the software into a MV field.

I am having some trouble implementing this. Help is appreciated

Thank you

Nate

ITWhisperer · ‎02-02-2024

| rex "(?ms)Here is the list of packages installed on the remote Red Hat Linux system :

(?<software>.*?)\nplugin_id"

View solution in original post

ITWhisperer · ‎02-02-2024

| rex "(?ms)Here is the list of packages installed on the remote Red Hat Linux system :

(?<software>.*?)\nplugin_id"

Writing Regex with Lookaheads to Capture Group

rex

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Deep insights, no barriers: Splunk Observability Cloud Free Edition

Guide: Isolated OpenTelemetry Tracing for Multiple WARs in WildFly

Painting a Clearer Picture: Creating Cross-Domain Visibility with AI Canvas

Join the Conversation