Solved: Re: How to edit my search to extract a specific va...

raby1996 · ‎08-04-2015

Hi all,

I'm having trouble extracting a specific value from a reoccurring field within a single event. My search looks like this:

index=* sourcetype=collectedCodeLevels.All "HMC Code Levels" " Package Level" AND "Sea.ha"   
| rex (?P<LIC>(?<=Level:)(\s\d+\.\d+\.\d+\.\d(?!.*Level)))

and the event data looks like this:

 Package : RFD.bla , MTMS: XXXX-XXX*XXXXXXX <BR>    Date: 2012/06/20-16:31, Bundle VRMF: XX.XX.XXX.X , Package Level: X.X.XXX.XX, Mode: CCL<BR> 
  Package: SEA.ha , MTMS: XXXX-XXX*XXXXXXX <BR>    Date: 2014/07/19-16:12, Bundle VRMF: XX.XX.XX.X , Package Level: X.X.X.XXXX, Mode: CCL<BR> <BR>

From this data, I would like to extract the Package Level number (the one after Bundle VRMF) only after the SEA.ha specific occurrence. I've tried using lookaheads and they don't seem to work, and so far I've only been able to extract the first occurrence of that pattern which is wrong.
(P.S. everything i need is within that SEA.ha event so if there's a way to separate that occurrence as a single event, that would work too)
Thank you!

woodcock · ‎08-05-2015

My previous answer does not properly handle newlines between the important texts but this one should; try this:

index=* sourcetype=collectedCodeLevels.All "HMC Code Levels" " Package Level" AND "Sea.ha" | rex "(?m)Package:\s+SEA\.ha.*?$[\r\n]+.*?Package Level:\s+(?<SEA_ha_Package_Level>\d+\.\d+\.\d+\.\d+)"

View solution in original post

woodcock · ‎08-05-2015

My previous answer does not properly handle newlines between the important texts but this one should; try this:

index=* sourcetype=collectedCodeLevels.All "HMC Code Levels" " Package Level" AND "Sea.ha" | rex "(?m)Package:\s+SEA\.ha.*?$[\r\n]+.*?Package Level:\s+(?<SEA_ha_Package_Level>\d+\.\d+\.\d+\.\d+)"

woodcock · ‎08-04-2015

Try this:

 index=* sourcetype=collectedCodeLevels.All "HMC Code Levels" " Package Level" AND "Sea.ha" | rex "(?m)Package:\s+SEA.ha.*?Package Level:\s+(?<SEA_ha_Package_Level>\d+\.\d+\.\d+\.\d+)"

raby1996 · ‎08-05-2015

Hmm maybe this example is better
Package: SEA.ha , MTMS: XXXX-XXX*XXXXXXX
Date: 2015/07/18-20:40, Bundle VRMF: X.X.XX.XX , Package Level: X.X.XX.XX, Mode: REMOTE_CCL
Package: SEA.se , MTMS: XXXX-XXX*XXXXXXX
Date: 2015/07/18-21:05, Bundle VRMF: X.X.XX.XX , Package Level: X.X.XX.XX, Mode: REMOTE_CCL

raby1996 · ‎08-05-2015

It didn't extract anything, still thank you

raby1996 · ‎08-05-2015

actually with a little bit of tweaking it worked thanks ! I replaced ".?" with "(?:\n|.) ?"
so now my code looks like
index=* sourcetype=collectedCodeLevels.All "HMC Code Levels" " Package Level" AND "Sea.ha"| rex (?m)(?\s\d+\.\d+\.\d+\.\d+)| rex "(?m)Package:\s+SEA.ha**(?:\n|.)*?Package Level:\s+(?\d+\.\d+\.\d+\.\d+)"

woodcock · ‎08-05-2015

I am not sure how that is possible because I used your event data and tested my solution against it and it worked perfectly. Are you sure that the event that you put in your question is completely correct?

How to edit my search to extract a specific value from a reoccurring field within a single event?

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...