https://community.splunk.com/t5/Splunk-Enterprise/How-to-extract-field-with-rex/m-p/627381#M15126 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/93662">@altink</a>&nbsp;</P><P>Are you looking for this?</P><LI-CODE lang="markup">| makeresults | eval raw="[CLIENT: 192.20.21.22]" | rename raw as _raw |rename comment as "upto this is sample data" | rex field=_raw "\[CLIENT:(?&lt;IP2&gt;.*)\]"</LI-CODE><P>&nbsp;</P><P>Thanks<BR />KV<BR />If any of my replies help you to solve the problem Or gain knowledge, an upvote would be appreciated.</P> Tue, 17 Jan 2023 18:28:32 GMT kamlesh_vaghela 2023-01-17T18:28:32Z https://community.splunk.com/t5/Splunk-Enterprise/How-to-extract-field-with-rex/m-p/627377#M15123 <P>Dear All.<BR /><BR />When searching some database log as<BR />index=my_db ....<BR />I have a field named "statement"&nbsp; with content as example below:<BR /><BR />The login packet used to open the connection is structurally invalid; the connection has been closed. Please contact the vendor of the client library. [CLIENT: 192.20.21.22]<BR /><BR />I need to create a new field, named IP2, with the IP address as above.<BR /><BR />In general, the rex command must look for the text between&nbsp; "[CLIENT: " and "]"<BR /><BR />Your help is appreciated<BR /><BR />best regards<BR />Altin</P> Tue, 17 Jan 2023 20:19:05 GMT https://community.splunk.com/t5/Splunk-Enterprise/How-to-extract-field-with-rex/m-p/627377#M15123 altink 2023-01-17T20:19:05Z https://community.splunk.com/t5/Splunk-Enterprise/How-to-extract-field-with-rex/m-p/627381#M15126 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/93662">@altink</a>&nbsp;</P><P>Are you looking for this?</P><LI-CODE lang="markup">| makeresults | eval raw="[CLIENT: 192.20.21.22]" | rename raw as _raw |rename comment as "upto this is sample data" | rex field=_raw "\[CLIENT:(?&lt;IP2&gt;.*)\]"</LI-CODE><P>&nbsp;</P><P>Thanks<BR />KV<BR />If any of my replies help you to solve the problem Or gain knowledge, an upvote would be appreciated.</P> Tue, 17 Jan 2023 18:28:32 GMT https://community.splunk.com/t5/Splunk-Enterprise/How-to-extract-field-with-rex/m-p/627381#M15126 kamlesh_vaghela 2023-01-17T18:28:32Z https://community.splunk.com/t5/Splunk-Enterprise/How-to-extract-field-with-rex/m-p/627384#M15127 <P>I am not getting:<BR /><BR />Why makeresults should be there<BR />I have an existing field "statement" from which I need to get the IP, instead of a _raw one<BR />Do not understand part "rename comment .." - I have no field named "comment"<BR /><BR />referring to part<BR />&nbsp;eval raw="[CLIENT: 192.20.21.22]"<BR /><BR />part 192.20.21.22 is NOT fixed,&nbsp; it is just from the example above, it is variable - what I want to get as field IP2<BR /><BR /><BR />regards<BR />Altin</P> Tue, 17 Jan 2023 18:40:31 GMT https://community.splunk.com/t5/Splunk-Enterprise/How-to-extract-field-with-rex/m-p/627384#M15127 altink 2023-01-17T18:40:31Z https://community.splunk.com/t5/Splunk-Enterprise/How-to-extract-field-with-rex/m-p/627406#M15130 <P>When people reply with solutions they will often post a block of code starting with | makeresults, which means this is an example which you can copy/paste to a Splunk search window and run to demonstrate the solution.</P><P>If you do that, you will see that it will create a dummy example and then extract a new field called IP2 with the address as need. The "rename..." is simply telling you that up to the final line, is an example setting up a solution for you.</P><P>As&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/127939">@kamlesh_vaghela</a>&nbsp;has shown, the last line is the rex statement you need.</P> Wed, 18 Jan 2023 02:22:45 GMT https://community.splunk.com/t5/Splunk-Enterprise/How-to-extract-field-with-rex/m-p/627406#M15130 bowesmana 2023-01-18T02:22:45Z https://community.splunk.com/t5/Splunk-Enterprise/How-to-extract-field-with-rex/m-p/627494#M15139 <P>Thank you for your answer too</P><P>&nbsp;</P><P>regards<BR />Altin</P> Wed, 18 Jan 2023 16:51:31 GMT https://community.splunk.com/t5/Splunk-Enterprise/How-to-extract-field-with-rex/m-p/627494#M15139 altink 2023-01-18T16:51:31Z https://community.splunk.com/t5/Splunk-Enterprise/How-to-extract-field-with-rex/m-p/627496#M15140 <P>Thank you very much for the solution<BR /><BR />regards<BR />Altin<BR /><BR />ps. upvote is "accept as solution"?</P> Wed, 18 Jan 2023 16:55:29 GMT https://community.splunk.com/t5/Splunk-Enterprise/How-to-extract-field-with-rex/m-p/627496#M15140 altink 2023-01-18T16:55:29Z