Re: field extraction with rex

borisk95 · ‎03-31-2019

Field sample: <"Data Name='Description'>Microsoft ® Console Based Script Host"<"/Data">

| rex ""(?[a-zA-Z0-9.: \\]+)<\/Data> 
| rex (?[a-zA-Z0-9.: \\]+)
| rex (?[a-zA-Z0-9.: \\]+)

Missing or malformed messages.conf stanza for SEARCHFACTORY:UNKNOWN_OP__a
using | rex (?\d+)<\/EventID> which does not have <"EventID='something'"> works fine

borisk95 · ‎04-04-2019

The error was in case of placing ["'] symbols

borisk95 · ‎04-04-2019

| rex (?\w+[a-zA-Z0-9:;'"./\])</\Data>
| lookup sys.csv EventID OUTPUT Description
| stats c by EventID,Date,Description

Unknown search command 'a'.

woodcock · ‎03-31-2019

I am making a HUGE guess that the desire is that a field called Description should obtain a value called "Microsoft ® Console Based Script Host" and that other similarly encoded KVPs should be created likewise. If so, try this:

... | eval _raw="<\"Data Name='Description'>Microsoft ® Console Based Script Host\"<\"/Data\">" 
| rex max_match=0 "Data Name='(?<key>[^']+)'\>(?<value>[^\"]+)"
| rex field=value mode=sed "s/^/\"/ s/$/\"/"
| eval _raw = mvzip(key, value, "=")
| kv

borisk95 · ‎04-02-2019

""<"Data Name='Image'">C:\Program Files\Splunk\bin\splunkd.exe<"/Data">""

| rex field=_raw (?[a-zA-Z0-9.: \]+)<\/Data>

this is my example

richgalloway · ‎03-31-2019

What is your question? What field(s) are you trying to extract?
Please edit your question to restore the regular expressions. Don't change the indentation.

---
If this reply helps you, Karma would be appreciated.

borisk95 · ‎04-02-2019

""<"Data Name='Image'">C:\Program Files\Splunk\bin\splunkd.exe<"/Data">""

| rex field=_raw (?[a-zA-Z0-9.: \]+)<\/Data>

this is my example

field extraction with rex

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms

Updated Team Landing Page in Splunk Observability