Splunk Search

Regex help!

kiran331
Builder

How to use the Regex to extract the first 2 words OR 3 words from below field values?

OS:
Windows 10 Enterprise

Windows 10 Enterprise 64 bit Edition

Windows 2000 Service Pack 3
Windows 2003 R2 Service Pack 2
Windows Server 2003 R2 Service Pack 2

I need:

windows 10
windows 2000
windows 2003
windows server 2003

Tags (1)
0 Karma
1 Solution

woodcock
Esteemed Legend

Like this:

| makeresults 
| eval OS="Windows 10 Enterprise 
Windows 10 Enterprise 64 bit Edition 
Windows 2000 Service Pack 3
Windows 2003 R2 Service Pack 2
Windows Server 2003 R2 Service Pack 2"
| makemv delim="
" OS

| rename COMMENT AS "Everything above creates test events; everything below is your solution"

| rex field=OS mode=sed "s/^(Windows\D+\d+).*$/\1/"

View solution in original post

woodcock
Esteemed Legend

Like this:

| makeresults 
| eval OS="Windows 10 Enterprise 
Windows 10 Enterprise 64 bit Edition 
Windows 2000 Service Pack 3
Windows 2003 R2 Service Pack 2
Windows Server 2003 R2 Service Pack 2"
| makemv delim="
" OS

| rename COMMENT AS "Everything above creates test events; everything below is your solution"

| rex field=OS mode=sed "s/^(Windows\D+\d+).*$/\1/"

woodcock
Esteemed Legend

This is "future-proof".

0 Karma

wenthold
Communicator

I would use:

rex field=_raw "(?<windows_version>Windows (?:Server )?[0-9]{1,4})"

The regex breaks down like this:
Windows - exact match
(?:Server )? - optional match, the space after "Server" but before the close parentheses is important.
[0-9]{1,4} - match from 1 to 4 numeric characters

I wouldn't extract from _raw if you have another field that includes the data, it would save some of the computational cost.

0 Karma

alemarzu
Motivator

Try this one,

... | rex  "(?<OS>[A-Z][a-z]+\s(?:\d{2,}|\w+\s\d{2,}))"

Hope it helps.

0 Karma

damiensurat
Contributor

Your search... | rex field=Your_OS_Field = "(?^\w*\s[\d]{2,4})"

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi kiran331,
try something like this

(?<SO>.*)\s(Enterprise|Service)

in a command

| rex field=your_field "(?<SO>.*)\s(Enterprise|Service)"

you can test it at https://regex101.com/r/UwejCo/1

Bye.
Giuseppe

0 Karma

kiran331
Builder

Thanks cusello, Please let me know how to exclude R2 in the fields?

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi kiran331,
modify regex in this way

(?U)(?.*)\s+(R2|Service|Enterprise)

Are you sure to exclude R2 from your results? 2008 is really different than 2008/R2!
Bye.
Giuseppe

0 Karma

damiensurat
Contributor

Hi cusello. That will work if he want a the R2, I think you should append your regex if all he is looking for is up to the version / year number.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi kiran331,
try something like this

(?<SO>.*)\s(Enterprise|Service)

in a command

| rex field=your_field "(?<SO>.*)\s(Enterprise|Service)"

you can test it at https://regex101.com/r/UwejCo/1

Bye.
Giuseppe

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...