https://community.splunk.com/t5/Splunk-Dev/Field-Extraction-Between-Keywords-Help/m-p/413653#M7161 <P>New to field extractions but hoping this is an easy one that i just can't figure out for myself. I have a syslog server sending raw logs and want to extract a new field that consists of all the data (string) between and so that i can use it in a search. So for example, if i had a raw log that said:</P> <P>Jan 18 10:58:38 10.0.254.51 &lt;134&gt;Jan 18 10:58:38 from="<A href="mailto:something@something.com">something@something.com</A>" to="<A href="mailto:someone@someone.com">someone@someone.com</A>" RE: [EXTERNAL] Files for Review#012 #012</P> <P>I want to extract a field called "subject" that would consist of only "RE: [EXTERNAL] Files for Review". Of course as messages flow through, the subject will change among them, but that's the just of it. It is already identifying a From and To field so my end result I am trying to create will be a table that will consist of:</P> <P>"From" "To" "Subject"</P> <P>I tried rex field=_raw "\" : "&lt;(?.*)&gt;" but it did not like that.</P> <P>Any help is greatly appreciated!</P> Fri, 18 Jan 2019 17:13:16 GMT ghostdog920 2019-01-18T17:13:16Z https://community.splunk.com/t5/Splunk-Dev/Field-Extraction-Between-Keywords-Help/m-p/413653#M7161 <P>New to field extractions but hoping this is an easy one that i just can't figure out for myself. I have a syslog server sending raw logs and want to extract a new field that consists of all the data (string) between and so that i can use it in a search. So for example, if i had a raw log that said:</P> <P>Jan 18 10:58:38 10.0.254.51 &lt;134&gt;Jan 18 10:58:38 from="<A href="mailto:something@something.com">something@something.com</A>" to="<A href="mailto:someone@someone.com">someone@someone.com</A>" RE: [EXTERNAL] Files for Review#012 #012</P> <P>I want to extract a field called "subject" that would consist of only "RE: [EXTERNAL] Files for Review". Of course as messages flow through, the subject will change among them, but that's the just of it. It is already identifying a From and To field so my end result I am trying to create will be a table that will consist of:</P> <P>"From" "To" "Subject"</P> <P>I tried rex field=_raw "\" : "&lt;(?.*)&gt;" but it did not like that.</P> <P>Any help is greatly appreciated!</P> Fri, 18 Jan 2019 17:13:16 GMT https://community.splunk.com/t5/Splunk-Dev/Field-Extraction-Between-Keywords-Help/m-p/413653#M7161 ghostdog920 2019-01-18T17:13:16Z https://community.splunk.com/t5/Splunk-Dev/Field-Extraction-Between-Keywords-Help/m-p/413654#M7162 <P>Figured it out. On the regular expression build wizard of creating a new field i just need to include additional different samples so the expression could build.</P> Fri, 18 Jan 2019 17:57:07 GMT https://community.splunk.com/t5/Splunk-Dev/Field-Extraction-Between-Keywords-Help/m-p/413654#M7162 ghostdog920 2019-01-18T17:57:07Z