https://community.splunk.com/t5/Getting-Data-In/How-to-parse-hash-code-from-a-raw-log-into-a-field/m-p/411556#M94505 <P>@kjebaker3 adding a raw event sample would help for us to identify correct regular expression pattern. Assuming SHA # will be followed by a space character (SHA will not have space in it), you can try the following regex on your _raw events:</P> <PRE><CODE>&lt;yourSearch&gt; | rex "SHA (?&lt;hash&gt;[^\s]+)\s" </CODE></PRE> <P>@cpetterborg, slightly changed your Regex. Not sure of exact pattern until complete event can be posted.</P> Thu, 28 Jun 2018 02:34:06 GMT niketn 2018-06-28T02:34:06Z https://community.splunk.com/t5/Getting-Data-In/How-to-parse-hash-code-from-a-raw-log-into-a-field/m-p/411554#M94503 <P>Mail_Log_Splunk: Info: MID 119972447 SHA <STRONG>ee1b5fe97eb813f416052526bc191f3112382a7e9638fba3a3ed2652acf81d5a</STRONG> filename Pics meeting pagoda.doc queued for possible file analysis upload</P> <P>What is the regex to parse the bold section out of a raw log? </P> Tue, 29 Sep 2020 20:12:37 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-parse-hash-code-from-a-raw-log-into-a-field/m-p/411554#M94503 kjebaker3 2020-09-29T20:12:37Z https://community.splunk.com/t5/Getting-Data-In/How-to-parse-hash-code-from-a-raw-log-into-a-field/m-p/411555#M94504 <P>Something like this "run-anywhere" example should work for the case you provide:</P> <PRE><CODE>| makeresults | eval _raw="Mail_Log_Splunk: Info: MID 119972447 SHA ee1b5fe97eb813f416052526bc191f3112382a7e9638fba3a3ed2652acf81d5a" | rex "SHA (?&lt;hash&gt;[a-f0-9]+)" </CODE></PRE> Wed, 27 Jun 2018 19:11:53 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-parse-hash-code-from-a-raw-log-into-a-field/m-p/411555#M94504 cpetterborg 2018-06-27T19:11:53Z https://community.splunk.com/t5/Getting-Data-In/How-to-parse-hash-code-from-a-raw-log-into-a-field/m-p/411556#M94505 <P>@kjebaker3 adding a raw event sample would help for us to identify correct regular expression pattern. Assuming SHA # will be followed by a space character (SHA will not have space in it), you can try the following regex on your _raw events:</P> <PRE><CODE>&lt;yourSearch&gt; | rex "SHA (?&lt;hash&gt;[^\s]+)\s" </CODE></PRE> <P>@cpetterborg, slightly changed your Regex. Not sure of exact pattern until complete event can be posted.</P> Thu, 28 Jun 2018 02:34:06 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-parse-hash-code-from-a-raw-log-into-a-field/m-p/411556#M94505 niketn 2018-06-28T02:34:06Z https://community.splunk.com/t5/Getting-Data-In/How-to-parse-hash-code-from-a-raw-log-into-a-field/m-p/411557#M94506 <P>Thank you, for your answers! How would I make this into a field extraction?</P> Thu, 28 Jun 2018 17:13:27 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-parse-hash-code-from-a-raw-log-into-a-field/m-p/411557#M94506 kjebaker3 2018-06-28T17:13:27Z https://community.splunk.com/t5/Getting-Data-In/How-to-parse-hash-code-from-a-raw-log-into-a-field/m-p/411558#M94507 <P>At search time, or index time? BTW, Splunk best practice is at search time.</P> Thu, 28 Jun 2018 19:45:06 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-parse-hash-code-from-a-raw-log-into-a-field/m-p/411558#M94507 cpetterborg 2018-06-28T19:45:06Z https://community.splunk.com/t5/Getting-Data-In/How-to-parse-hash-code-from-a-raw-log-into-a-field/m-p/411559#M94508 <P>At search time. I need to use a Data Model that contains fields that are currently not being parsed from the raw logs. I ran the regex and it worked so now I need this to be a field extraction that I can add to an app that the Data Model uses. </P> Fri, 29 Jun 2018 13:51:19 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-parse-hash-code-from-a-raw-log-into-a-field/m-p/411559#M94508 kjebaker3 2018-06-29T13:51:19Z https://community.splunk.com/t5/Getting-Data-In/How-to-parse-hash-code-from-a-raw-log-into-a-field/m-p/411560#M94509 <P>Create a field extraction by going to Settings -&gt; Fields -&gt; Field Extractions -&gt; New Field Extraction.</P> <P>Then you fill in the form and use the regex in the Extraction/Transform field of the form.</P> Fri, 29 Jun 2018 19:10:13 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-parse-hash-code-from-a-raw-log-into-a-field/m-p/411560#M94509 cpetterborg 2018-06-29T19:10:13Z https://community.splunk.com/t5/Getting-Data-In/How-to-parse-hash-code-from-a-raw-log-into-a-field/m-p/411561#M94510 <P>Like this:</P> <PRE><CODE>... | rex "SHA (?&lt;hash&gt;\S+)" </CODE></PRE> Sun, 01 Jul 2018 03:55:56 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-parse-hash-code-from-a-raw-log-into-a-field/m-p/411561#M94510 woodcock 2018-07-01T03:55:56Z https://community.splunk.com/t5/Getting-Data-In/How-to-parse-hash-code-from-a-raw-log-into-a-field/m-p/411562#M94511 <P>@kjebaker3, refer to the following documentation for Field Extraction using IFX. You can override the automatic regular expression with your custom regular expression in the guided wizard: <A href="http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/ExtractfieldsinteractivelywithIFX">http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/ExtractfieldsinteractivelywithIFX</A></P> Sun, 01 Jul 2018 13:14:43 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-parse-hash-code-from-a-raw-log-into-a-field/m-p/411562#M94511 niketn 2018-07-01T13:14:43Z