Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to write a rex expression to pull out a specific bit of data?

TorbinIT
Path Finder
‎04-11-2023 06:15 AM

Hello! So I'm trying to write a rex expression to pull out a specific bit of data from this:

<plugin_output>Operating system version = 10.19044 Architecture = x64 Build lab extended = 19041.1.amd64fre.vb_release.191206-1406 </plugin_output>

Specifically I want to extract the Operating System Version as a new field, "Win10Build", but I want only everything after the period, so in this specific example I'd like to have the new field Win10Build=19044.

I've got a rex expression that ALMOST works for this:

| rex field=pluginText (?<Win10Build>\.\d+)

But I haven't figured out how to make it so that it only captures the 5 digits after the period and nothing else. This is just the closest my attempts have gotten. Right now it captures the period and everything after it.

Any suggestions for how I can refine my search? If nothing else I could include an eval command in my search that filters out the periods and just leaves the 5 digit values, but that seems crude and complicated to me and I'd like elegant and simple. If I could just write a rex expression that filters out the period it'd save the search time and effort, right?

Thank you for any replies and for helping me learn!

Labels (2)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎04-11-2023 06:21 AM

You're very close.  Just move the dot out of the capture group.

| rex field=pluginText "\.(?<Win10Build>\d+)"
---
If this reply helps you, Karma would be appreciated.
Reply

TorbinIT
Path Finder
‎04-11-2023 06:27 AM

...I can't believe it was that simple and I missed it. Thank you so much for the help!

Reply
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

REGISTER NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If ...

Observability | Use Synthetic Monitoring for Website Metadata Verification

If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...