Reporting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Regex - How to extract multiple words?

POR160893
Builder
‎09-26-2022 12:56 AM

Hi,

if I had logs as such:

"Client authentication successful PAN-OS ver: 9.1.11-h3 Panorama ver:10.1.6-h3 Client IP: 10.68.196.211 Server IP: 10.58.217.123 Client CN: 013101004861"

"Client authentication successful PAN-OS ver: 9.1.11 Panorama ver:10.1.6-h6 Client IP: 10.58.90.53 Server IP: 10.58.90.200 Client CN: 010401005346",

 

How can I extract BOTH the PAN-OS and Panorma ver, i.e, 9.1.11, 10.1.6-h6, 10.1.6-h3, 9.1.11-h3????

 

I tried the following but it doesn't work - | rex field=body "[Panorama][PAN-OS]\s*:(?<Software_Version>.+?) Client"


Can you please help?

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

FelixLeh
Contributor
‎09-26-2022 01:16 AM

If you want both in the same field use:

| rex field=body max_match=0 "(PAN-OS ver|Panorama ver):(?<Software_Version>[^\s]+)"

If you want both in a separate field use:

| rex field=body "PAN-OS ver:(?<PAN_OS_Version>[^\s]+).+?Panorama ver:(?<Panorama_Version>[^\s]+)"

I hope this helps!

_______________________________________

If this was helpful please consider awarding Karma. Thx!

View solution in original post

Reply
Solved! Jump to solution
Solution

FelixLeh
Contributor
‎09-26-2022 01:16 AM

If you want both in the same field use:

| rex field=body max_match=0 "(PAN-OS ver|Panorama ver):(?<Software_Version>[^\s]+)"

If you want both in a separate field use:

| rex field=body "PAN-OS ver:(?<PAN_OS_Version>[^\s]+).+?Panorama ver:(?<Panorama_Version>[^\s]+)"

I hope this helps!

_______________________________________

If this was helpful please consider awarding Karma. Thx!

Reply
Solved! Jump to solution

POR160893
Builder
‎09-26-2022 01:38 AM

Worked perfectly. Thank you and I obviously gave you Karma 😀

0 Karma
Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎09-26-2022 01:06 AM

Hi

regex101.com is your friend. https://regex101.com/r/MgVexD/1

...
| rex field=body "PAN-OS ver:\s*(?<PAN_OS_VER>[^ ]+)\s+Panorama ver:(?<Software_Version>[^ ]+)"

r. Ismo 

Reply
Solved! Jump to solution

POR160893
Builder
‎09-26-2022 01:12 AM

No fields got extracted with this Regex. Also, the 2 extracted version needed to be stored in a single field .... so using 2 fields, <PAN_OS_VER> and <Software_Version> doe not concatenate both fields into 1 field.

Tags (1)
0 Karma
Reply
Solved! Jump to solution

FelixLeh
Contributor
‎09-26-2022 01:21 AM

Are you sure the field you want to extract from is called body? If you want to extract from the event itself and not a specific field use:
| rex field=_raw

0 Karma
Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎09-26-2022 01:19 AM

If your example data is valid then this regex extracts those as you can verify with this regex101.com link. If this didn't work with splunk then please give us a correct event data.

You can combine those to one field e.g. 

...
| eval Software_Version = "PAN-VERSION: " . PAN_OS_VER . "  " . Software_Version
| fields - PAN_OS_VER

 

Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to January Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...

[Puzzles] Solve, Learn, Repeat: Reprocessing XML into Fixed-Length Events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...