Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Regex - How to extract multiple words?

POR160893
Builder
‎09-26-2022 12:56 AM

Hi,

if I had logs as such:

"Client authentication successful PAN-OS ver: 9.1.11-h3 Panorama ver:10.1.6-h3 Client IP: 10.68.196.211 Server IP: 10.58.217.123 Client CN: 013101004861"

"Client authentication successful PAN-OS ver: 9.1.11 Panorama ver:10.1.6-h6 Client IP: 10.58.90.53 Server IP: 10.58.90.200 Client CN: 010401005346",

 

How can I extract BOTH the PAN-OS and Panorma ver, i.e, 9.1.11, 10.1.6-h6, 10.1.6-h3, 9.1.11-h3????

 

I tried the following but it doesn't work - | rex field=body "[Panorama][PAN-OS]\s*:(?<Software_Version>.+?) Client"


Can you please help?

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

FelixLeh
Contributor
‎09-26-2022 01:16 AM

If you want both in the same field use:

| rex field=body max_match=0 "(PAN-OS ver|Panorama ver):(?<Software_Version>[^\s]+)"

If you want both in a separate field use:

| rex field=body "PAN-OS ver:(?<PAN_OS_Version>[^\s]+).+?Panorama ver:(?<Panorama_Version>[^\s]+)"

I hope this helps!

_______________________________________

If this was helpful please consider awarding Karma. Thx!

View solution in original post

Reply
Solved! Jump to solution
Solution

FelixLeh
Contributor
‎09-26-2022 01:16 AM

If you want both in the same field use:

| rex field=body max_match=0 "(PAN-OS ver|Panorama ver):(?<Software_Version>[^\s]+)"

If you want both in a separate field use:

| rex field=body "PAN-OS ver:(?<PAN_OS_Version>[^\s]+).+?Panorama ver:(?<Panorama_Version>[^\s]+)"

I hope this helps!

_______________________________________

If this was helpful please consider awarding Karma. Thx!

Reply
Solved! Jump to solution

POR160893
Builder
‎09-26-2022 01:38 AM

Worked perfectly. Thank you and I obviously gave you Karma 😀

0 Karma
Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎09-26-2022 01:06 AM

Hi

regex101.com is your friend. https://regex101.com/r/MgVexD/1

...
| rex field=body "PAN-OS ver:\s*(?<PAN_OS_VER>[^ ]+)\s+Panorama ver:(?<Software_Version>[^ ]+)"

r. Ismo 

Reply
Solved! Jump to solution

POR160893
Builder
‎09-26-2022 01:12 AM

No fields got extracted with this Regex. Also, the 2 extracted version needed to be stored in a single field .... so using 2 fields, <PAN_OS_VER> and <Software_Version> doe not concatenate both fields into 1 field.

Tags (1)
0 Karma
Reply
Solved! Jump to solution

FelixLeh
Contributor
‎09-26-2022 01:21 AM

Are you sure the field you want to extract from is called body? If you want to extract from the event itself and not a specific field use:
| rex field=_raw

0 Karma
Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎09-26-2022 01:19 AM

If your example data is valid then this regex extracts those as you can verify with this regex101.com link. If this didn't work with splunk then please give us a correct event data.

You can combine those to one field e.g. 

...
| eval Software_Version = "PAN-VERSION: " . PAN_OS_VER . "  " . Software_Version
| fields - PAN_OS_VER

 

Reply
Get Updates on the Splunk Community!

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...

Adoption of Infrastructure Monitoring at Splunk

  Splunk's Growth Engineering team showcases one of their first Splunk product adoption-Splunk Infrastructure ...

Modern way of developing distributed application using OTel

Recently, I had the opportunity to work on a complex microservice using Spring boot and Quarkus to develop a ...