https://community.splunk.com/t5/Splunk-Enterprise/Field-extraction-using-regular-expression-under-field-extraction/m-p/509360#M2635 <P>I need to write a common regex to match all the below patterns&nbsp;</P><P>My regular expression written so far is&nbsp;</P><P>(?P&lt;timestamp&gt;\w+\s+\d+\s+\d+:\d+:\d+)\s+(?P&lt;src&gt;\w+)\s+(?P&lt;daemon&gt;\w+):\s+(?P&lt;message&gt;(.*?)$)|(?J)(?P&lt;timestamp&gt;\w+\s+\d+\s+\d+:\d+:\d+)\s+(?P&lt;src&gt;\w+)\s+(?P&lt;daemon&gt;\w+)\[(?P&lt;process_id&gt;\d+)\]:\s+(?P&lt;entry_type&gt;\w+):\s+(?P&lt;service_id&gt;\w+)\s+\w+=((?P&lt;status&gt;0)|(?&lt;pid&gt;\d+))(\s+from=(?P&lt;origin_ip&gt;(.*?)$))</P><P>This matches 1st and 2nd pattern in regex101.com but when I put it in splunk it doesn't work matching unintended fields. Please help how to go with this</P><P>Jul 15 14:01:32 jiufc1fe330 xinetd[82352]: START: nrpe pid=151239 from=::ffff:14.956.44.41<BR />Jul 15 12:30:36 dyue29200 systemd: Removed slice User Slice of root.<BR />Jul 15 12:30:21 dtg280419 xinetd[16211]: EXIT: nrpe status=0 pid=8924 duration=0(sec)</P> Wed, 15 Jul 2020 17:33:18 GMT sandeepduppalli 2020-07-15T17:33:18Z https://community.splunk.com/t5/Splunk-Enterprise/Field-extraction-using-regular-expression-under-field-extraction/m-p/509360#M2635 <P>I need to write a common regex to match all the below patterns&nbsp;</P><P>My regular expression written so far is&nbsp;</P><P>(?P&lt;timestamp&gt;\w+\s+\d+\s+\d+:\d+:\d+)\s+(?P&lt;src&gt;\w+)\s+(?P&lt;daemon&gt;\w+):\s+(?P&lt;message&gt;(.*?)$)|(?J)(?P&lt;timestamp&gt;\w+\s+\d+\s+\d+:\d+:\d+)\s+(?P&lt;src&gt;\w+)\s+(?P&lt;daemon&gt;\w+)\[(?P&lt;process_id&gt;\d+)\]:\s+(?P&lt;entry_type&gt;\w+):\s+(?P&lt;service_id&gt;\w+)\s+\w+=((?P&lt;status&gt;0)|(?&lt;pid&gt;\d+))(\s+from=(?P&lt;origin_ip&gt;(.*?)$))</P><P>This matches 1st and 2nd pattern in regex101.com but when I put it in splunk it doesn't work matching unintended fields. Please help how to go with this</P><P>Jul 15 14:01:32 jiufc1fe330 xinetd[82352]: START: nrpe pid=151239 from=::ffff:14.956.44.41<BR />Jul 15 12:30:36 dyue29200 systemd: Removed slice User Slice of root.<BR />Jul 15 12:30:21 dtg280419 xinetd[16211]: EXIT: nrpe status=0 pid=8924 duration=0(sec)</P> Wed, 15 Jul 2020 17:33:18 GMT https://community.splunk.com/t5/Splunk-Enterprise/Field-extraction-using-regular-expression-under-field-extraction/m-p/509360#M2635 sandeepduppalli 2020-07-15T17:33:18Z https://community.splunk.com/t5/Splunk-Enterprise/Field-extraction-using-regular-expression-under-field-extraction/m-p/509379#M2636 Is this for index-time or search-time field extraction?<BR />Can you be more specific about how Splunk is failing? What unintended fields are matching? Wed, 15 Jul 2020 19:35:45 GMT https://community.splunk.com/t5/Splunk-Enterprise/Field-extraction-using-regular-expression-under-field-extraction/m-p/509379#M2636 richgalloway 2020-07-15T19:35:45Z https://community.splunk.com/t5/Splunk-Enterprise/Field-extraction-using-regular-expression-under-field-extraction/m-p/509432#M2640 <P>This is search time field extraction. I am using few captured named group for field names like timestamp,src etc.., twice with (?J) option but splunk recognizes them as different fields. How to use the same field name here?My basic aim to have a single regex for all log patterns mentioned.</P> Thu, 16 Jul 2020 01:26:11 GMT https://community.splunk.com/t5/Splunk-Enterprise/Field-extraction-using-regular-expression-under-field-extraction/m-p/509432#M2640 sandeepduppalli 2020-07-16T01:26:11Z https://community.splunk.com/t5/Splunk-Enterprise/Field-extraction-using-regular-expression-under-field-extraction/m-p/509523#M2655 <P>Since this is a search-time extraction, consider using multiple <FONT face="courier new,courier">rex</FONT> commands.&nbsp; That's often easier than crafting a single regex for all cases.</P><P>Also, try putting the <FONT face="courier new,courier">(?J)</FONT> flag at the beginning of your regex.</P> Thu, 16 Jul 2020 13:45:45 GMT https://community.splunk.com/t5/Splunk-Enterprise/Field-extraction-using-regular-expression-under-field-extraction/m-p/509523#M2655 richgalloway 2020-07-16T13:45:45Z https://community.splunk.com/t5/Splunk-Enterprise/Field-extraction-using-regular-expression-under-field-extraction/m-p/509526#M2656 <P>When using rex command with same named group it is giving the following error</P><P>Error in 'rex' command: Encountered the following error while compiling the regex '(?P&lt;timestamp&gt;\w+\s+\d+\s+\d+:\d+:\d+)\s+(?P&lt;src&gt;\w+)\s+(?P&lt;daemon&gt;\w+)\[(?P&lt;<STRONG>process_id</STRONG>&gt;\d+)\]:\s+pid=(?P&lt;<STRONG>process_id</STRONG>&gt;\d+)': Regex: two named subpatterns have the same name (PCRE2_DUPNAMES not set).</P> Thu, 16 Jul 2020 13:49:57 GMT https://community.splunk.com/t5/Splunk-Enterprise/Field-extraction-using-regular-expression-under-field-extraction/m-p/509526#M2656 sandeepduppalli 2020-07-16T13:49:57Z https://community.splunk.com/t5/Splunk-Enterprise/Field-extraction-using-regular-expression-under-field-extraction/m-p/509536#M2660 That's what the (?J) flag is for. Why did you leave it out? Thu, 16 Jul 2020 14:28:07 GMT https://community.splunk.com/t5/Splunk-Enterprise/Field-extraction-using-regular-expression-under-field-extraction/m-p/509536#M2660 richgalloway 2020-07-16T14:28:07Z