Stuck on regex question for Ad FS logs. I am trying to extract all ips following a field ("Client IP: ") in a AD FS log. My log looks like this (truncated to save space): 10/02/2018 09:22:50 AM LogName=Security SourceName=AD FS Auditing EventCode=411 EventType=0 Type=Information ComputerName=* User=* Sid=* SidType=1 TaskCategory=Printers OpCode=Info RecordNumber=* Keywords=Audit Failure, Classic Message=Token validation failed. See inner exception for more details. Additional Data Activity ID: 00000000-0000-0000-0000-000000000000 Token Type: http://schemas.microsoft.com/ws/2006/05/identitymodel/tokens/UserName Client IP: 117.31.21.102,2603:1001:750:16::5 Error message: ***** Exception details: System.IdentityModel.Tokens.SecurityTokenValidationException: ****** at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateToken(SecurityToken token) So the end result desired is that I get both ip addresses under the field src_ip (so it is multivalue), and that it only tries the regex if it finds the EventCode=411 or 512, etc... What I have so far is this: (?ms)(?:\G(?!\A)\s*,\s*|EventCode=411\R.*?\R)\K(?P<src_ip>(?:\d{1,3}\.){3}(?:\d{1,3})|(?:::)?(?:[\dA-Fa-f]{1,4}:{1,2}){1,7}[\d%A-Fa-f.]*(?:::)?|::[\dA-Fa-f.]{1,15}|::) - which was helpfully provided by someone over at stackoverflow. This works in regex101 and any other regex helper sites. However when applied to splunk it only snateches up the first ip. What am I missing her. I have tested each individual part independently(as much as I could) and they have worked. Is there a problem with negative lookaheads in Splunk? Any ideas? ... View more