Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

creating a new field using Regex

mr_t2083
Explorer
‎04-30-2018 01:53 PM

how do you create a field using regex with the following example below
for example

exsamplefield=cpe:/o:microsoft:windows

I would like to extract microsoft from the above field?

What would be proper regex used to extract this?

Tags (1)
0 Karma
Reply

macadminrohit
Contributor
‎05-01-2018 08:19 AM

cpe:\/(a|o):(?\w+):.*

microsoft will be captured in the named group

For testing, try www.regex101.com

0 Karma
Reply

macadminrohit
Contributor
‎05-01-2018 08:19 AM 
cpe:\/(a|o):(?<fieldname>\w+):.*
0 Karma
Reply

woodcock
Esteemed Legend
‎05-01-2018 07:50 AM

Like this:

... | rex field=exsamplefield="^(?:[^:]*:){2}(?<YourNameHere>[^:]+)"
Reply

somesoni2
Revered Legend
‎04-30-2018 02:35 PM

Will it always be in same position?

Reply

mr_t2083
Explorer
‎05-01-2018 06:30 AM

same position yes but not same letter, this is another example " cpe:/a:microsoft:malicious_software_removal_tool" so I'm looking for a way to distinguish between cpe:/o and cpe:/a

0 Karma
Reply

somesoni2
Revered Legend
‎05-01-2018 07:16 AM

Have you tried any of solution below? They both should work for you. If you want little more specific regex based on your data, you can try this cpe\:\/(o|a)\:(?<YourFieldName>[^\:]+). (Basically look for either cpe:/a: or cpe:/o: and capture everything after that till next colon)

0 Karma
Reply

PowerPacked
Builder
‎04-30-2018 02:30 PM

Hi mr_t2083

Please use this REX,

am uploading pic as this page will try to remove some characters from REX if directly posted.
alt text

& if you want to apply Rex to field itself, refer to this second pic

alt text

Thanks

Reply

xpac
SplunkTrust
SplunkTrust
‎04-30-2018 01:57 PM

To build a proper regex, you need to describe your data properly, it has to have some reliable characteristics.
With your example above, multiple characteristics are possible, but without further example data it's hard to find those similarities.

This is an example: ^[^:]+:[^:]+:(?<yourfield>[^:]+:)
This one would assume that there is always to parts in that field, seperated by :, and the value you want to extract is between the second and third :. If that's true - here's your regex 😉

0 Karma
Reply
Get Updates on the Splunk Community!

How to send events & findings from AWS to Splunk using Amazon EventBridge

Amazon EventBridge is a serverless service that uses events to connect application components together, making ...

Exciting News: The AppDynamics Community Joins Splunk!

Hello Splunkers,   I’d like to introduce myself—I’m Ryan, the former AppDynamics Community Manager, and I’m ...

The All New Performance Insights for Splunk

Splunk gives you amazing tools to analyze system data and make business-critical decisions, react to issues, ...
Top