Splunk Search

field extraction with rex

New Member

Field sample: <"Data Name='Description'>Microsoft ® Console Based Script Host"<"/Data">

| rex ""(?[a-zA-Z0-9.: \\]+)<\/Data> 
| rex (?[a-zA-Z0-9.: \\]+)
| rex (?[a-zA-Z0-9.: \\]+)

Missing or malformed messages.conf stanza for SEARCHFACTORY:UNKNOWNOP_a
using | rex (?\d+)<\/EventID> which does not have <"EventID='something'"> works fine

0 Karma

New Member

The error was in case of placing ["'] symbols

0 Karma

New Member

| rex (?\w+[a-zA-Z0-9:;'"./\])</\Data>
| lookup sys.csv EventID OUTPUT Description
| stats c by EventID,Date,Description

Unknown search command 'a'.

0 Karma

Esteemed Legend

I am making a HUGE guess that the desire is that a field called Description should obtain a value called "Microsoft ® Console Based Script Host" and that other similarly encoded KVPs should be created likewise. If so, try this:

... | eval _raw="<\"Data Name='Description'>Microsoft ® Console Based Script Host\"<\"/Data\">" 
| rex max_match=0 "Data Name='(?<key>[^']+)'\>(?<value>[^\"]+)"
| rex field=value mode=sed "s/^/\"/ s/$/\"/"
| eval _raw = mvzip(key, value, "=")
| kv
0 Karma

New Member

""<"Data Name='Image'">C:\Program Files\Splunk\bin\splunkd.exe<"/Data">""

| rex field=_raw (?[a-zA-Z0-9.: \]+)<\/Data>

this is my example

0 Karma

SplunkTrust
SplunkTrust

What is your question? What field(s) are you trying to extract?
Please edit your question to restore the regular expressions. Don't change the indentation.

---
If this reply helps you, an upvote would be appreciated.
0 Karma

New Member

""<"Data Name='Image'">C:\Program Files\Splunk\bin\splunkd.exe<"/Data">""

| rex field=_raw (?[a-zA-Z0-9.: \]+)<\/Data>

this is my example

0 Karma