How to take multiple values ​separated by spaces with grok

Question

I have the following paragraph that arrives in an email and I want to take only those that are by CI

CI: CI14710 CI14727 CI14732 CI14741 OC14735 CI14744 Ends\n\n

I am trying to use the following regular expression

CI: (?<CI>[A-Za-z0-9_-]{1,})

but I only take the first

I tried with this other expression but the logstash fails me

CI: (?<CI>[A-Za-z0-9_-]{1,}.*)\\n\\n

it is not seen but they go dobele \ n

Answer 1

I tried the below pattern in Grok debugger and able to collect all the words starting with CI.

CI: (?<CI>[A-Za-z0-9_-]{1,}.*) %{GREEDYDATA:data}

Output screenshot:

You can drop the field data using the drop filter