Solved: How to edit my regular expression to extract these...

dbcase · ‎10-13-2016

Hi,

I have the below data

10.210.192.15 - - [12/Oct/2016:19:59:43 -0400] "GET /rest/icontrol/login?expand=sites,instances,points,functions HTTP/1.1" 401 6 "-" "Mozilla/5.0 (Linux; Android 6.0.1; SAMSUNG-SM-G920A Build/MMB29K; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/53.0.2785.124 Mobile Safari/537.36"

10.210.192.5 - - [12/Oct/2016:19:50:06 -0400] "GET /rest/icontrol/login?expand=sites,instances,points,functions HTTP/1.1" 401 6 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 10_0_2 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Mobile/14A456"

And I'm trying to match on the OS for Android or the iPhone. I have this much of the regex (Android|iPhone) (?P<os>) but I'm now stumped as to what the remaining portion should be. I need to capture 6.0.1 from the first line and 10_0_2 from the second line.

somesoni2 · ‎10-13-2016

How about this

Updated

your base search | rex  "((Android)|(iPhone OS)) (?<os>[^\s\;]+)"

View solution in original post

aljohnson_splun · ‎10-13-2016

https://regex101.com/r/oeF93v/1

dbcase · ‎10-13-2016

Hi,

Yes I'm already using that site but still stumped.

somesoni2 · ‎10-13-2016

How about this

Updated

your base search | rex  "((Android)|(iPhone OS)) (?<os>[^\s\;]+)"

lakromani · ‎10-13-2016

You do not need it inner parentheses, and you do not need to escape the ;, so this should do:

 your base search | rex  "(Android|iPhone OS) (?<os>[^\s;]+)"

dbcase · ‎10-13-2016

BINGO!!!! Many thanks!!!!

dbcase · ‎10-13-2016

Hey Somesoni2!

Close, that grabs the second line 10_0_2 but not the first line 6.0.1

somesoni2 · ‎10-13-2016

How about now?

How to edit my regular expression to extract these fields from my sample data?

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor