- Splunk Answers
- :
- Using Splunk
- :
- Reporting
- :
- Re: Regex - Multiple words to extract
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
if I had logs as such:
"Client authentication successful PAN-OS ver: 9.1.11-h3 Panorama ver:10.1.6-h3 Client IP: 10.68.196.211 Server IP: 10.58.217.123 Client CN: 013101004861"
"Client authentication successful PAN-OS ver: 9.1.11 Panorama ver:10.1.6-h6 Client IP: 10.58.90.53 Server IP: 10.58.90.200 Client CN: 010401005346",
How can I extract BOTH the PAN-OS and Panorma ver, i.e, 9.1.11, 10.1.6-h6, 10.1.6-h3, 9.1.11-h3????
I tried the following but it doesn't work - | rex field=body "[Panorama][PAN-OS]\s*:(?<Software_Version>.+?) Client"
Can you please help?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you want both in the same field use:
| rex field=body max_match=0 "(PAN-OS ver|Panorama ver):(?<Software_Version>[^\s]+)"
If you want both in a separate field use:
| rex field=body "PAN-OS ver:(?<PAN_OS_Version>[^\s]+).+?Panorama ver:(?<Panorama_Version>[^\s]+)"
I hope this helps!
_______________________________________
If this was helpful please consider awarding Karma. Thx!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you want both in the same field use:
| rex field=body max_match=0 "(PAN-OS ver|Panorama ver):(?<Software_Version>[^\s]+)"
If you want both in a separate field use:
| rex field=body "PAN-OS ver:(?<PAN_OS_Version>[^\s]+).+?Panorama ver:(?<Panorama_Version>[^\s]+)"
I hope this helps!
_______________________________________
If this was helpful please consider awarding Karma. Thx!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Worked perfectly. Thank you and I obviously gave you Karma 😀
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
regex101.com is your friend. https://regex101.com/r/MgVexD/1
...
| rex field=body "PAN-OS ver:\s*(?<PAN_OS_VER>[^ ]+)\s+Panorama ver:(?<Software_Version>[^ ]+)"r. Ismo
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No fields got extracted with this Regex. Also, the 2 extracted version needed to be stored in a single field .... so using 2 fields, <PAN_OS_VER> and <Software_Version> doe not concatenate both fields into 1 field.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are you sure the field you want to extract from is called body? If you want to extract from the event itself and not a specific field use:
| rex field=_raw
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If your example data is valid then this regex extracts those as you can verify with this regex101.com link. If this didn't work with splunk then please give us a correct event data.
You can combine those to one field e.g.
...
| eval Software_Version = "PAN-VERSION: " . PAN_OS_VER . " " . Software_Version
| fields - PAN_OS_VER
Get the T-shirt to Prove You Survived Splunk University Bootcamp
Introducing the Splunk Community Dashboard Challenge!
Wondering How to Build Resiliency in the Cloud?
