https://community.splunk.com/t5/Security/regular-expression/m-p/699926#M18128 <P>Hi I want to extract highlighted part<BR /><BR /></P><DIV class=""><SPAN class="">Sep</SPAN> <SPAN class="">24</SPAN> <SPAN class="">10:43:25</SPAN> <FONT color="#FFFF00"><SPAN class="">10.82.10.245</SPAN></FONT> [<SPAN class="">S=217</SPAN>] [<SPAN class="">BID=d57afa:30</SPAN>] <SPAN class=""><SPAN class="">RAISE-ALARM</SPAN>:acProxyConnectionLost:</SPAN> [<SPAN class="">KOREASBC1</SPAN>] <SPAN class="">Proxy</SPAN> <SPAN class="">Set</SPAN> <SPAN class="">Alarm</SPAN> <SPAN class="">Proxy</SPAN> <SPAN class="">Set</SPAN> <SPAN class="">1</SPAN> (<SPAN class="">PS_ITSP</SPAN>)<SPAN class="">:</SPAN> <SPAN class="">Proxy</SPAN> <SPAN class="">lost.</SPAN> <SPAN class="">looking</SPAN> <SPAN class="">for</SPAN> <SPAN class="">another</SPAN> <SPAN class="">proxy</SPAN>; <SPAN class="">Severity:major</SPAN>; <SPAN class="">Source:Board#1/ProxyConnection#1</SPAN>; <SPAN class="">Unique</SPAN> <SPAN class="">ID:242</SPAN>; <SPAN class="">Additional</SPAN> <SPAN class="">Info1:</SPAN>; [<SPAN class="">Time:24-09@17:43:25.248</SPAN>] [<SPAN class="">63380759]</SPAN></DIV> Tue, 24 Sep 2024 11:27:00 GMT Siddharthnegi 2024-09-24T11:27:00Z https://community.splunk.com/t5/Security/regular-expression/m-p/699926#M18128 <P>Hi I want to extract highlighted part<BR /><BR /></P><DIV class=""><SPAN class="">Sep</SPAN> <SPAN class="">24</SPAN> <SPAN class="">10:43:25</SPAN> <FONT color="#FFFF00"><SPAN class="">10.82.10.245</SPAN></FONT> [<SPAN class="">S=217</SPAN>] [<SPAN class="">BID=d57afa:30</SPAN>] <SPAN class=""><SPAN class="">RAISE-ALARM</SPAN>:acProxyConnectionLost:</SPAN> [<SPAN class="">KOREASBC1</SPAN>] <SPAN class="">Proxy</SPAN> <SPAN class="">Set</SPAN> <SPAN class="">Alarm</SPAN> <SPAN class="">Proxy</SPAN> <SPAN class="">Set</SPAN> <SPAN class="">1</SPAN> (<SPAN class="">PS_ITSP</SPAN>)<SPAN class="">:</SPAN> <SPAN class="">Proxy</SPAN> <SPAN class="">lost.</SPAN> <SPAN class="">looking</SPAN> <SPAN class="">for</SPAN> <SPAN class="">another</SPAN> <SPAN class="">proxy</SPAN>; <SPAN class="">Severity:major</SPAN>; <SPAN class="">Source:Board#1/ProxyConnection#1</SPAN>; <SPAN class="">Unique</SPAN> <SPAN class="">ID:242</SPAN>; <SPAN class="">Additional</SPAN> <SPAN class="">Info1:</SPAN>; [<SPAN class="">Time:24-09@17:43:25.248</SPAN>] [<SPAN class="">63380759]</SPAN></DIV> Tue, 24 Sep 2024 11:27:00 GMT https://community.splunk.com/t5/Security/regular-expression/m-p/699926#M18128 Siddharthnegi 2024-09-24T11:27:00Z https://community.splunk.com/t5/Security/regular-expression/m-p/699928#M18129 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/257462">@Siddharthnegi</a>&nbsp;,</P><P>please try this:</P><LI-CODE lang="markup">| rex "^\w+\s\d+\s\d+:\d+:\d+\s(?&lt;ip&gt;\d+\.\d+\.\d+\.\d+)"</LI-CODE><P>that you can test at&nbsp;<A href="https://regex101.com/r/Ha7ifi/1" target="_blank">https://regex101.com/r/Ha7ifi/1</A></P><P>Ciao.</P><P>Giuseppe</P> Tue, 24 Sep 2024 12:07:33 GMT https://community.splunk.com/t5/Security/regular-expression/m-p/699928#M18129 gcusello 2024-09-24T12:07:33Z https://community.splunk.com/t5/Security/regular-expression/m-p/699930#M18130 <P class="lia-align-left">You can use below rex. Which will fetch the highlighted context<BR />| rex "\w+\s+\d+\s+\d{2}:\d{2}:\d{2}\s+(?&lt;result&gt;[^\s]+)"</P> Tue, 24 Sep 2024 12:09:57 GMT https://community.splunk.com/t5/Security/regular-expression/m-p/699930#M18130 Thulasinathan_M 2024-09-24T12:09:57Z