https://community.splunk.com/t5/Reporting/Regex-How-to-extract-multiple-words/m-p/614500#M11628 <P>Hi,</P> <P><SPAN>if I had logs as such:</SPAN></P> <P><SPAN>"Client authentication successful PAN-OS ver: 9.1.11-h3 Panorama ver:10.1.6-h3 Client IP: 10.68.196.211 Server IP: 10.58.217.123 Client CN: 013101004861" </SPAN></P> <P><SPAN>"Client authentication successful PAN-OS ver: 9.1.11 Panorama ver:10.1.6-h6 Client IP: 10.58.90.53 Server IP: 10.58.90.200 Client CN: 010401005346", </SPAN></P> <P>&nbsp;</P> <P><SPAN>How can I extract BOTH the PAN-OS and Panorma ver, i.e, 9.1.11, 10.1.6-h6, 10.1.6-h3, 9.1.11-h3???? </SPAN></P> <P>&nbsp;</P> <P><SPAN>I tried the following but it doesn't work - | rex field=body "[Panorama][PAN-OS]\s*:(?&lt;Software_Version&gt;.+?) Client"<BR /><BR /><BR />Can you please help?</SPAN></P> Mon, 26 Sep 2022 15:33:10 GMT POR160893 2022-09-26T15:33:10Z https://community.splunk.com/t5/Reporting/Regex-How-to-extract-multiple-words/m-p/614500#M11628 <P>Hi,</P> <P><SPAN>if I had logs as such:</SPAN></P> <P><SPAN>"Client authentication successful PAN-OS ver: 9.1.11-h3 Panorama ver:10.1.6-h3 Client IP: 10.68.196.211 Server IP: 10.58.217.123 Client CN: 013101004861" </SPAN></P> <P><SPAN>"Client authentication successful PAN-OS ver: 9.1.11 Panorama ver:10.1.6-h6 Client IP: 10.58.90.53 Server IP: 10.58.90.200 Client CN: 010401005346", </SPAN></P> <P>&nbsp;</P> <P><SPAN>How can I extract BOTH the PAN-OS and Panorma ver, i.e, 9.1.11, 10.1.6-h6, 10.1.6-h3, 9.1.11-h3???? </SPAN></P> <P>&nbsp;</P> <P><SPAN>I tried the following but it doesn't work - | rex field=body "[Panorama][PAN-OS]\s*:(?&lt;Software_Version&gt;.+?) Client"<BR /><BR /><BR />Can you please help?</SPAN></P> Mon, 26 Sep 2022 15:33:10 GMT https://community.splunk.com/t5/Reporting/Regex-How-to-extract-multiple-words/m-p/614500#M11628 POR160893 2022-09-26T15:33:10Z https://community.splunk.com/t5/Reporting/Regex-How-to-extract-multiple-words/m-p/614501#M11629 <P>Hi</P><P>regex101.com is your friend.&nbsp;<A href="https://regex101.com/r/MgVexD/1" target="_blank">https://regex101.com/r/MgVexD/1</A></P><LI-CODE lang="markup">... | rex field=body "PAN-OS ver:\s*(?&lt;PAN_OS_VER&gt;[^ ]+)\s+Panorama ver:(?&lt;Software_Version&gt;[^ ]+)"</LI-CODE><P>r. Ismo&nbsp;</P> Mon, 26 Sep 2022 08:06:35 GMT https://community.splunk.com/t5/Reporting/Regex-How-to-extract-multiple-words/m-p/614501#M11629 isoutamo 2022-09-26T08:06:35Z https://community.splunk.com/t5/Reporting/Regex-How-to-extract-multiple-words/m-p/614503#M11630 <P>No fields got extracted with this Regex. Also, the 2 extracted version needed to be stored in a single field .... so using 2 fields,&nbsp;&lt;PAN_OS_VER&gt; and&nbsp;&lt;Software_Version&gt; doe not concatenate both fields into 1 field.</P> Mon, 26 Sep 2022 08:12:55 GMT https://community.splunk.com/t5/Reporting/Regex-How-to-extract-multiple-words/m-p/614503#M11630 POR160893 2022-09-26T08:12:55Z https://community.splunk.com/t5/Reporting/Regex-How-to-extract-multiple-words/m-p/614505#M11631 <P>If you want both in the same field use:</P><P><STRONG>| rex field=body max_match=0 "(PAN-OS ver|Panorama ver):(?&lt;Software_Version&gt;[^\s]+)"</STRONG></P><P>If you want both in a separate field use:</P><P><STRONG>| rex field=body "PAN-OS ver:(?&lt;PAN_OS_Version&gt;[^\s]+).+?Panorama ver:(?&lt;Panorama_Version&gt;[^\s]+)"</STRONG></P><P>I hope this helps!</P><P>_______________________________________</P><P>If this was helpful please consider awarding Karma. Thx!</P> Mon, 26 Sep 2022 08:16:00 GMT https://community.splunk.com/t5/Reporting/Regex-How-to-extract-multiple-words/m-p/614505#M11631 FelixLeh 2022-09-26T08:16:00Z https://community.splunk.com/t5/Reporting/Regex-How-to-extract-multiple-words/m-p/614507#M11632 <P>If your example data is valid then this regex extracts those as you can verify with this regex101.com link. If this didn't work with splunk then please give us a correct event data.</P><P>You can combine those to one field e.g.&nbsp;</P><LI-CODE lang="markup">... | eval Software_Version = "PAN-VERSION: " . PAN_OS_VER . " " . Software_Version | fields - PAN_OS_VER</LI-CODE><P>&nbsp;</P> Mon, 26 Sep 2022 08:19:05 GMT https://community.splunk.com/t5/Reporting/Regex-How-to-extract-multiple-words/m-p/614507#M11632 isoutamo 2022-09-26T08:19:05Z https://community.splunk.com/t5/Reporting/Regex-How-to-extract-multiple-words/m-p/614508#M11633 <P>Are you sure the field you want to extract from is called body? If you want to extract from the event itself and not a specific field use:<BR /><STRONG>| rex field=_raw</STRONG></P> Mon, 26 Sep 2022 08:21:46 GMT https://community.splunk.com/t5/Reporting/Regex-How-to-extract-multiple-words/m-p/614508#M11633 FelixLeh 2022-09-26T08:21:46Z https://community.splunk.com/t5/Reporting/Regex-How-to-extract-multiple-words/m-p/614510#M11634 <P>Worked perfectly. Thank you and I obviously gave you Karma&nbsp;<span class="lia-unicode-emoji" title=":grinning_face:">😀</span></P> Mon, 26 Sep 2022 08:38:18 GMT https://community.splunk.com/t5/Reporting/Regex-How-to-extract-multiple-words/m-p/614510#M11634 POR160893 2022-09-26T08:38:18Z