Splunk Search

regex Field Extraction

es2464
New Member

Hi, I have a data to be extracted. Below is the example data :

Add Content Menu Sections (confluence.menu.add, Version: 1.0, Installed: bundled)
Admin Sections (confluence.sections.admin, Version: 1.0, Installed: bundled)

I would like to get Add Content Meni Sections and Admin Sections as a field called 'Name', and confluence.menu.add and confluence.sections.admin as 'Package' field as well as 'Version' field.

My current regex is | rex "\\w*\\s*\\((?P<package>[^\\(]+),\\sVersion:\\s(?P<version>[^,]+)" and I only get 4 out of 50 of same formatted lines exist, using this regex.
Anyone has any idea? thanks.

0 Karma

kristian_kolb
Ultra Champion

This should work..

... | rex "(?<name>[\w\s]+)\s\((?<package>[^,]+),\sVersion:\s(?<version>[^,]+),"

Hope this helps,

Kristian

0 Karma

es2464
New Member

they both are matching

0 Karma

Ayn
Legend

Which lines are matching and which are not? Also do you use double backspaces just on this site or in your regex as well? They should be single backspaces only.

0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Casting Call: Compete in Cyber Games

Lights, Camera, SecOps: Apply to Compete in Cyber Games     Think you have what it takes to beat the clock? ...

Data Management Digest – June 2026

Welcome to the June 2026 edition of Data Management Digest! This month’s update is short and sweet, with a ...

Think Like an Architect: Introducing the Splunk Certified Cybersecurity Defense ...

In cybersecurity, defenders respond to threats. Architects design the systems that stop them.    As ...