Splunk Search

Rex expression Puzzle

TorbinIT
Path Finder

Hey, is there anyone there good with rex expressions?

I've been given a task by my boss, to extract 4 new fields from the data in one fiend, pluginText. The data that's currently in pluginText is as follows:

<plugin_output>
Model : Q6042-E
Software version : 5.55.1.2
Version source : HTTP
Fixed version : 6.50.1.2
</plugin_output>

I thought I'd start by just cracking one field and if I can get one, I can sort out the others from that one as a working model. So I figured I'd start with Version source, since the end result I want is for a new field "Version source" to just display 4 letters: "HTTP". 

The problem is that it's not working, what I'm trying. I thought THIS might work:

| rex field=pluginID "(?<Version source>\w\w\w\w)"

but it's just giving me an error “Regex: syntax error in subpattern name (missing terminator)”

What am I doing wrong? I'm newbie at rex expressions and reviewing the documents Splunk's put out hasn't helped much. 

Labels (1)
Tags (1)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @TorbinIT,

if you didn't already extracted the plugin_output field, you have only to a little modify your regexes:

| rex "Model\s+:\s+(?<Model>[^ ]+)"
| rex "Software\s+version\s+:\s+(?<Software_version>[^ ]+)"
| rex "Version\s+source\s+:\s+(?<Version_source>[^ ]+)"
| rex "Fixed\s+version\s+:\s+(?<Fixed_version>[^ ]+)"

 Ciao.

Giuseppe

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi @TorbinIT,

if you already extracted the plugin_output field, you could use the following four regexes:

| rex field=plugin_output "Model\s+:\s+(?<Model>[^ ]+)"
| rex field=plugin_output "Software\s+version\s+:\s+(?<Software_version>[^ ]+)"
| rex field=plugin_output "Version\s+source\s+:\s+(?<Version_source>[^ ]+)"
| rex field=plugin_output "Fixed\s+version\s+:\s+(?<Fixed_version>[^ ]+)"

Ciao.

Giuseppe

TorbinIT
Path Finder

I hadn't actually extracted a the plugin_output field. What I showed you was literally everything printed in the pluginText field, 

This is useful though. How would I go about extracting plugin_output?

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @TorbinIT,

if you didn't already extracted the plugin_output field, you have only to a little modify your regexes:

| rex "Model\s+:\s+(?<Model>[^ ]+)"
| rex "Software\s+version\s+:\s+(?<Software_version>[^ ]+)"
| rex "Version\s+source\s+:\s+(?<Version_source>[^ ]+)"
| rex "Fixed\s+version\s+:\s+(?<Fixed_version>[^ ]+)"

 Ciao.

Giuseppe

youngsuh
Contributor

 

Here is what I've done.  How to break out the results into individual software correctly in Splunk.  Any tips could be helpful.  Here is the regex being used for software_name and software_version.

| rex max_match=100 field=pluginText "\n+(?<software_name>[^[].*)\s\s\[version\s\d"
| rex max_match=100 field=pluginText "\s\s\[version\s(?<software_version>[^[]*.)\]"
| stats values(software_name) as software_name values(software_version) as software_version by dest

I'd extracted the text has group of pairs.I'd extracted the text has group of pairs.

TorbinIT
Path Finder

This makes SO MUCH SENSE. I was looking at it all wrong. 

Looking just at "Model" as an example, you're telling Splunk to search for “Model”, then space between it (the \s+) then a : symbol, then MORE space between the : and the next bit (the \s+) which is the identifiable pattern. THEN, you specify the field you’re looking to create, which you're defining as "Software_version".

The only part I'm not understanding still is the [^ ] at the end. Isn't that a command for "no included character"? Are you telling the search to ignore anything spaces in the field and display everything else?

The only other thing worth noting is when i tried your solution, it gave me an output of Q6042-E\n

I don't know where the \n came from

But this is certainly useful! Thank you so very much!

gcusello
SplunkTrust
SplunkTrust

Hi @TorbinIT,

 [^ ] + means: take all the chars until a space, it's an useful way to take all when there aren't spaces in the field values.

Ciao.

Giuseppe

P.S.: karma Points are appreciated 😉

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...