https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-regular-expression-to-extract-these-fields-from/m-p/247018#M73641 <P>BINGO!!!! Many thanks!!!!</P> Thu, 13 Oct 2016 22:16:57 GMT dbcase 2016-10-13T22:16:57Z https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-regular-expression-to-extract-these-fields-from/m-p/247012#M73635 <P>Hi,</P> <P>I have the below data</P> <PRE><CODE>10.210.192.15 - - [12/Oct/2016:19:59:43 -0400] "GET /rest/icontrol/login?expand=sites,instances,points,functions HTTP/1.1" 401 6 "-" "Mozilla/5.0 (Linux; Android 6.0.1; SAMSUNG-SM-G920A Build/MMB29K; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/53.0.2785.124 Mobile Safari/537.36" 10.210.192.5 - - [12/Oct/2016:19:50:06 -0400] "GET /rest/icontrol/login?expand=sites,instances,points,functions HTTP/1.1" 401 6 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 10_0_2 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Mobile/14A456" </CODE></PRE> <P>And I'm trying to match on the OS for Android or the iPhone. I have this much of the regex <CODE>(Android|iPhone) (?P&lt;os&gt;)</CODE> but I'm now stumped as to what the remaining portion should be. I need to capture 6.0.1 from the first line and 10_0_2 from the second line.</P> Tue, 29 Sep 2020 11:22:50 GMT https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-regular-expression-to-extract-these-fields-from/m-p/247012#M73635 dbcase 2020-09-29T11:22:50Z https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-regular-expression-to-extract-these-fields-from/m-p/247013#M73636 <P>How about this</P> <P><STRONG>Updated</STRONG></P> <PRE><CODE>your base search | rex "((Android)|(iPhone OS)) (?&lt;os&gt;[^\s\;]+)" </CODE></PRE> Thu, 13 Oct 2016 22:05:37 GMT https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-regular-expression-to-extract-these-fields-from/m-p/247013#M73636 somesoni2 2016-10-13T22:05:37Z https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-regular-expression-to-extract-these-fields-from/m-p/247014#M73637 <P><A href="https://regex101.com/r/oeF93v/1">https://regex101.com/r/oeF93v/1</A></P> Thu, 13 Oct 2016 22:08:19 GMT https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-regular-expression-to-extract-these-fields-from/m-p/247014#M73637 aljohnson_splun 2016-10-13T22:08:19Z https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-regular-expression-to-extract-these-fields-from/m-p/247015#M73638 <P>Hey Somesoni2!</P> <P>Close, that grabs the second line 10_0_2 but not the first line 6.0.1</P> Tue, 29 Sep 2020 11:22:52 GMT https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-regular-expression-to-extract-these-fields-from/m-p/247015#M73638 dbcase 2020-09-29T11:22:52Z https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-regular-expression-to-extract-these-fields-from/m-p/247016#M73639 <P>Hi,</P> <P>Yes I'm already using that site but still stumped.</P> Thu, 13 Oct 2016 22:11:43 GMT https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-regular-expression-to-extract-these-fields-from/m-p/247016#M73639 dbcase 2016-10-13T22:11:43Z https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-regular-expression-to-extract-these-fields-from/m-p/247017#M73640 <P>How about now?</P> Thu, 13 Oct 2016 22:14:39 GMT https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-regular-expression-to-extract-these-fields-from/m-p/247017#M73640 somesoni2 2016-10-13T22:14:39Z https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-regular-expression-to-extract-these-fields-from/m-p/247018#M73641 <P>BINGO!!!! Many thanks!!!!</P> Thu, 13 Oct 2016 22:16:57 GMT https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-regular-expression-to-extract-these-fields-from/m-p/247018#M73641 dbcase 2016-10-13T22:16:57Z https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-regular-expression-to-extract-these-fields-from/m-p/247019#M73642 <P>You do not need it inner parentheses, and you do not need to escape the <CODE>;</CODE>, so this should do:</P> <PRE><CODE> your base search | rex "(Android|iPhone OS) (?&lt;os&gt;[^\s;]+)" </CODE></PRE> Fri, 14 Oct 2016 06:19:08 GMT https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-regular-expression-to-extract-these-fields-from/m-p/247019#M73642 lakromani 2016-10-14T06:19:08Z