How to write a rex expression to pull out a specif...

TorbinIT · ‎04-11-2023

Hello! So I'm trying to write a rex expression to pull out a specific bit of data from this:

<plugin_output>Operating system version = 10.19044 Architecture = x64 Build lab extended = 19041.1.amd64fre.vb_release.191206-1406 </plugin_output>

Specifically I want to extract the Operating System Version as a new field, "Win10Build", but I want only everything after the period, so in this specific example I'd like to have the new field Win10Build=19044.

I've got a rex expression that ALMOST works for this:

| rex field=pluginText (?<Win10Build>\.\d+)

But I haven't figured out how to make it so that it only captures the 5 digits after the period and nothing else. This is just the closest my attempts have gotten. Right now it captures the period and everything after it.

Any suggestions for how I can refine my search? If nothing else I could include an eval command in my search that filters out the periods and just leaves the 5 digit values, but that seems crude and complicated to me and I'd like elegant and simple. If I could just write a rex expression that filters out the period it'd save the search time and effort, right?

Thank you for any replies and for helping me learn!

richgalloway · ‎04-11-2023

You're very close. Just move the dot out of the capture group.

| rex field=pluginText "\.(?<Win10Build>\d+)"

---
If this reply helps you, Karma would be appreciated.

TorbinIT · ‎04-11-2023

...I can't believe it was that simple and I missed it. Thank you so much for the help!

How to write a rex expression to pull out a specific bit of data?

field extraction

rex

Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users

Everything Community at .conf24!

Index This | I’m short for "configuration file.” What am I?