Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to write a rex expression to pull out a specific bit of data?

TorbinIT
Path Finder
‎04-11-2023 06:15 AM

Hello! So I'm trying to write a rex expression to pull out a specific bit of data from this:

<plugin_output>Operating system version = 10.19044 Architecture = x64 Build lab extended = 19041.1.amd64fre.vb_release.191206-1406 </plugin_output>

Specifically I want to extract the Operating System Version as a new field, "Win10Build", but I want only everything after the period, so in this specific example I'd like to have the new field Win10Build=19044.

I've got a rex expression that ALMOST works for this:

| rex field=pluginText (?<Win10Build>\.\d+)

But I haven't figured out how to make it so that it only captures the 5 digits after the period and nothing else. This is just the closest my attempts have gotten. Right now it captures the period and everything after it.

Any suggestions for how I can refine my search? If nothing else I could include an eval command in my search that filters out the periods and just leaves the 5 digit values, but that seems crude and complicated to me and I'd like elegant and simple. If I could just write a rex expression that filters out the period it'd save the search time and effort, right?

Thank you for any replies and for helping me learn!

Labels (2)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎04-11-2023 06:21 AM

You're very close.  Just move the dot out of the capture group.

| rex field=pluginText "\.(?<Win10Build>\d+)"
---
If this reply helps you, Karma would be appreciated.
Reply

TorbinIT
Path Finder
‎04-11-2023 06:27 AM

...I can't believe it was that simple and I missed it. Thank you so much for the help!

Reply
Get Updates on the Splunk Community!

Modern way of developing distributed application using OTel

Recently, I had the opportunity to work on a complex microservice using Spring boot and Quarkus to develop a ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had 3 releases of new security content via the Enterprise Security ...

Archived Metrics Now Available for APAC and EMEA realms

We’re excited to announce the launch of Archived Metrics in Splunk Infrastructure Monitoring for our customers ...