Solved: regex help to split into two rows of data

thaghost99 · ‎02-27-2024

here is the current data

Feb 27 14:12:38
node0:
--------------------------------------------------------------------------

Attack database version:3670(Thu Feb 22 14:12:38 2024 UTC)
Detector version :12.2.140230313
Policy template version :3535

node1:
--------------------------------------------------------------------------

Attack database version:3670(Thu Feb 22 14:12:38 2024 UTC)
Detector version :12.2.140230313
Policy template version :3535

{primary:node0}

i need help extracting the values for attack version (just the digit), detector version and policy template version, by node (ie: node 0 and node 1)

output looks like something like this

Node Attack database version Detector version Policy template version

node0 3670 12.2.140230313 3535

node1 3670 12.2.140230313 3535

please and thank you, i am only able to get the node0 but not node1 😞

gcusello · ‎02-27-2024

Hi @thaghost99,

please try this regex:

| rex "(?ms)(?<node>node\d+).*?Attack database version:(?<Attack_database_version>\d+).*?Detector version\s*:(?<Detector_version>[^\n]+).*?Policy template version\s*:(?<Policy_template_version>\d+)"

that you can test at https://regex101.com/r/R9SWnM/1

Ciao.

Giuseppe

View solution in original post

thaghost99 · ‎02-28-2024

thanks that did it. thank you

gcusello · ‎02-27-2024

Hi @thaghost99,

please try this regex:

| rex "(?ms)(?<node>node\d+).*?Attack database version:(?<Attack_database_version>\d+).*?Detector version\s*:(?<Detector_version>[^\n]+).*?Policy template version\s*:(?<Policy_template_version>\d+)"

that you can test at https://regex101.com/r/R9SWnM/1

Ciao.

Giuseppe

regex help to split into two rows of data

distributed search

Expert Tips from Splunk Professional Services, Ensuring Compliance, and More New ...

Observability Release Update: AI Assistant, AppD + Observability Cloud Integrations & ...

Stay Connected: Your Guide to February Tech Talks, Office Hours, and Webinars!