https://community.splunk.com/t5/Splunk-Dev/rex-command/m-p/519609#M9281 <P>thanx for ur response but i am&nbsp; not getting that&nbsp; specific field&nbsp;</P> Tue, 15 Sep 2020 06:51:50 GMT itishree 2020-09-15T06:51:50Z https://community.splunk.com/t5/Splunk-Dev/rex-command/m-p/519606#M9279 <P>&nbsp;I have event like this from here i have to extract bold name&nbsp; like :</P><P>Burp-collab</P><P>Qualys_scanner_RPA</P><P>SIE-PT-BAU-1</P><P>SIE-PT-BAU-2Kali</P><P>&nbsp;</P><P>can any one help me on this</P><P>&nbsp;</P><P>&nbsp;</P><TABLE width="570"><TBODY><TR><TD width="570">&lt;166&gt;2020-09-11T12: [Originator@6870 sub=Vmsvc.vm:/vmfs/volumes/5b33d479-61618708-d3cd-d094665b5e96/<FONT face="arial black,avant garde">Burp-Collab</FONT>/Burp-Collab.vmx opID=1bcac8c3 user=root]</TD></TR><TR><TD>&lt;13&gt;2020-09-08T05: /vmfs/volumes/5b33d479-61618708-d3cd-d094665b5e96/<FONT face="arial black,avant garde">Qualys_scanner_RPA</FONT>/Qualys_scanner_RPA.vmx: Connected to mks-fd</TD></TR><TR><TD>&lt;164&gt;2020-09-11T13:[Originator@6876 sub=Vmsvc.vm:/vmfs/volumes/5b33d479-61618708-d3cd-d094665b5e96/<FONT face="arial black,avant garde">SIE-PT-BAU-1</FONT>/SIE-PT-BAU-1.vmx] Failed to find activation record, event user unknown.</TD></TR><TR><TD>&lt;166&gt;2020-09-08T05:54:57.060Z siscesxi01.sisc-lab.com Hostd: info hostd[2099583] [Originator@6876 sub=Vmsvc.vm:/vmfs/volumes/5b33d479-61618708-d3cd-d094665b5e96/<FONT face="arial black,avant garde">SIE-PT-BAU-2Kali</FONT>/SIE-PT-BAU-2Kali.vmx opID=1bca6b2a user=root] Ticket issued for mks service to user: root</TD></TR></TBODY></TABLE><P>&nbsp;</P><P>&nbsp;</P> Tue, 15 Sep 2020 06:24:41 GMT https://community.splunk.com/t5/Splunk-Dev/rex-command/m-p/519606#M9279 itishree 2020-09-15T06:24:41Z https://community.splunk.com/t5/Splunk-Dev/rex-command/m-p/519608#M9280 <P>values will be extracted new field called "newfield"</P><LI-CODE lang="markup">| rex "(?&lt;newfield&gt;[^\/]+)(?=.vmx)"</LI-CODE> Tue, 15 Sep 2020 06:43:49 GMT https://community.splunk.com/t5/Splunk-Dev/rex-command/m-p/519608#M9280 thambisetty 2020-09-15T06:43:49Z https://community.splunk.com/t5/Splunk-Dev/rex-command/m-p/519609#M9281 <P>thanx for ur response but i am&nbsp; not getting that&nbsp; specific field&nbsp;</P> Tue, 15 Sep 2020 06:51:50 GMT https://community.splunk.com/t5/Splunk-Dev/rex-command/m-p/519609#M9281 itishree 2020-09-15T06:51:50Z https://community.splunk.com/t5/Splunk-Dev/rex-command/m-p/519611#M9282 <LI-CODE lang="markup">| index=yourindex | rex "(?&lt;newfield&gt;[^\/]+)(?=.vmx)" | table newfield</LI-CODE> Tue, 15 Sep 2020 06:56:48 GMT https://community.splunk.com/t5/Splunk-Dev/rex-command/m-p/519611#M9282 thambisetty 2020-09-15T06:56:48Z https://community.splunk.com/t5/Splunk-Dev/rex-command/m-p/519613#M9283 <P>&nbsp; count</P><TABLE width="700px"><TBODY><TR><TD width="659px">&lt;13&gt;2020-09-14T09:15:07Z&nbsp; vmauthd[6227095]: Local connection for</TD><TD width="40px">1</TD></TR><TR><TD width="659px">&lt;13&gt;2020-09-14T10:28:09Z vmauthd[6232159]: Local connection for</TD><TD width="40px">1</TD></TR><TR><TD width="659px">&lt;166&gt;2020-09-14T08:58:37.120Z&nbsp; Hostd: info hostd[2099584] [Originator@6876 sub=Libs opID=vim-cmd-c1-6005 user=dcui] Found</TD><TD width="40px">1</TD></TR><TR><TD width="659px">&lt;166&gt;2020-09-14T08:58:37.120Z&nbsp; Hostd: info hostd[2099584] [Originator@6876 sub=Libs opID=vim-cmd-c1-6005 user=dcui] Starting</TD></TR></TBODY></TABLE><P>&nbsp;</P><P>getting result like this&nbsp;&nbsp;</P><P>i want only the name of that particular field</P> Tue, 15 Sep 2020 07:14:09 GMT https://community.splunk.com/t5/Splunk-Dev/rex-command/m-p/519613#M9283 itishree 2020-09-15T07:14:09Z https://community.splunk.com/t5/Splunk-Dev/rex-command/m-p/519615#M9284 <P>if the value matches with regular expression then newfield will have values otherwise no.</P><P>the table below doesn't have values you posted in question.&nbsp;&nbsp;</P> Tue, 15 Sep 2020 07:24:23 GMT https://community.splunk.com/t5/Splunk-Dev/rex-command/m-p/519615#M9284 thambisetty 2020-09-15T07:24:23Z https://community.splunk.com/t5/Splunk-Dev/rex-command/m-p/519616#M9285 <P>Following the previous answer, simply use a stats command:</P><LI-CODE lang="markup">| index=yourindex | rex "(?&lt;newfield&gt;[^\/]+)(?=.vmx)" | stats latest(_raw), count by newfield</LI-CODE><P>&nbsp;</P> Tue, 15 Sep 2020 07:24:48 GMT https://community.splunk.com/t5/Splunk-Dev/rex-command/m-p/519616#M9285 samsplunks 2020-09-15T07:24:48Z https://community.splunk.com/t5/Splunk-Dev/rex-command/m-p/519618#M9286 <P>| rex "(?&lt;VMX&gt;[^\/]+)\.vmx"</P><P>&nbsp;</P><P>This one works...thanx for ur help</P> Tue, 15 Sep 2020 07:31:45 GMT https://community.splunk.com/t5/Splunk-Dev/rex-command/m-p/519618#M9286 itishree 2020-09-15T07:31:45Z