https://community.splunk.com/t5/Knowledge-Management/Regular-Expression/m-p/707566#M10359 <P>According to regex101.com, your regular expression works.&nbsp; This one, however, is more efficient.</P><LI-CODE lang="markup">EXTRACT-Rule = (")?Rule:(?P&lt;Rule&gt;.*?)(?(1)\1|,)</LI-CODE><P>It looks for a leading quotation mark and uses that as the terminating character (using <FONT face="courier new,courier">(?(1)\1|,)</FONT>).</P> Thu, 26 Dec 2024 01:21:28 GMT richgalloway 2024-12-26T01:21:28Z https://community.splunk.com/t5/Knowledge-Management/Regular-Expression/m-p/707564#M10358 <P>I need to extract the Rule field using a regex in props.conf without using transforms.conf.</P> <P>The regex I used was</P> <LI-CODE lang="markup">Rule\:(?P&lt;Rule&gt;\s.*?(?=\")|((\s\w+)+)\-\w+\s\w+|\s.*?(?=\,))</LI-CODE> <P><BR /><BR />Please let me know if you have any idea of ​​regular expression that satisfies all cases below to extract rule field by looking at the original data below.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="markup">Test-String Dec 5 17:22:59 10.2.1.166 Dec 5 17:13:45 ICxxx SymantecServer: Nxxx,10.150.35.108,Continue,Application and Device Control is ready,System,Begin: 2022-12-05 17:13:18,End Time: 2022-12-05 17:13:18,Rule: Built-in rule,0,SysPlant,0,SysPlant,None,User Name: None,Domain Name: None,Action Type: ,File size (bytes): 0,Device ID: Dec 5 17:22:59 10.2.1.166 Dec 5 17:12:45 ICxxx SymantecServer,10.10.232.76,Blocked,[AC7-2.1] 스크립트 차단 - Caller,End Time: 2024-12-05 16:41:09,Rule: 모든 응용 프로그램 | [AC7-2.1] 파일 및 폴더 액세스 시도,9056,C:/Windows/System32/svchost.exe,0,No Module Name,C:/Windows/System32/GroupPolicy/DataStore/0/SysVol/celltrion.com/Policies/{08716B68-6FB2-4C06-99B3-2685F9035E2E}/Machine/Scripts/Startup/start_dot3svc.bat,User Name: xxx,Domain Name: xxx,Action Type: ,File size (bytes): xx,Device ID: xxx\xx&amp;Ven_NVMe&amp;Prod_Skhynix_BC501_NV\5&amp;974&amp;0&amp;000 Dec 5 17:22:59 10.2.1.166 Dec 5 17:13:06 IC01 SymantecServer: N1404002,10.50.248.13,Blocked,이 규칙은 모든 응용 프로그램이 시스템에 드라이브 문자를 추가하는 모든 USB 장치에 파일을 쓸 수 없도록 차단합니다. - File,Begin: 2024-12-05 16:33:53,End Time: 2024-12-05 16:33:53,"Rule: USB 드라이브에 읽기 허용,쓰기 차단 | [AC4-1.1] USB 드라이브에 읽기 허용,쓰기 차단",4032,C:/Program Files/Microsoft Office/xxx/Office16/EXCEL.EXE,0,No Module Name,D:/1. NBD/1. ADC cytotoxicity/2024-4Q/~$20241203-05 CT-P70 Drug release.xlsx,User Name: 1404002,Domain Name:xxx,Action Type: ,File size (bytes): 0,xx</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="markup">extract string Rule: Built-in rule Rule: 모든 응용 프로그램 | [AC7-2.1] 파일 및 폴더 액세스 시도 Rule: USB 드라이브에 읽기 허용,쓰기 차단 | [AC4-1.1] USB 드라이브에 읽기 허용,쓰기 차단</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Fri, 27 Dec 2024 15:07:42 GMT https://community.splunk.com/t5/Knowledge-Management/Regular-Expression/m-p/707564#M10358 silverKi 2024-12-27T15:07:42Z https://community.splunk.com/t5/Knowledge-Management/Regular-Expression/m-p/707566#M10359 <P>According to regex101.com, your regular expression works.&nbsp; This one, however, is more efficient.</P><LI-CODE lang="markup">EXTRACT-Rule = (")?Rule:(?P&lt;Rule&gt;.*?)(?(1)\1|,)</LI-CODE><P>It looks for a leading quotation mark and uses that as the terminating character (using <FONT face="courier new,courier">(?(1)\1|,)</FONT>).</P> Thu, 26 Dec 2024 01:21:28 GMT https://community.splunk.com/t5/Knowledge-Management/Regular-Expression/m-p/707566#M10359 richgalloway 2024-12-26T01:21:28Z https://community.splunk.com/t5/Knowledge-Management/Regular-Expression/m-p/707569#M10361 <P>Can you explain the regular expression you used?&nbsp;</P> Thu, 26 Dec 2024 04:56:11 GMT https://community.splunk.com/t5/Knowledge-Management/Regular-Expression/m-p/707569#M10361 silverKi 2024-12-26T04:56:11Z https://community.splunk.com/t5/Knowledge-Management/Regular-Expression/m-p/707572#M10363 <P>Try this expression</P><LI-CODE lang="markup">("|)Rule:\s*(?P&lt;Rule&gt;.*?)\1,\d</LI-CODE> Thu, 26 Dec 2024 10:12:18 GMT https://community.splunk.com/t5/Knowledge-Management/Regular-Expression/m-p/707572#M10363 ITWhisperer 2024-12-26T10:12:18Z https://community.splunk.com/t5/Knowledge-Management/Regular-Expression/m-p/707603#M10365 <P>Hi,<BR /><BR />Can you try the following regex<BR /><BR />Regex:&nbsp;<STRONG>Rule:\s(?P&lt;Rule&gt;(.*?)(?=,\d+))</STRONG><BR /><BR />It uses positive lookahead (?=) and captures everything until it finds "," followed by digit. If the end of the rule always has a digit then this will work. Keep in mind that if an word is replaced by digit at the end of the rule this will not work.<BR /><BR />Please try and if it works an upvote is appreciated.</P> Fri, 27 Dec 2024 06:37:38 GMT https://community.splunk.com/t5/Knowledge-Management/Regular-Expression/m-p/707603#M10365 Aditi27 2024-12-27T06:37:38Z https://community.splunk.com/t5/Knowledge-Management/Regular-Expression/m-p/707623#M10366 <P>Positive lookahead doesn't perform well in Splunk and, generally, is unnecessary.</P> Fri, 27 Dec 2024 12:49:29 GMT https://community.splunk.com/t5/Knowledge-Management/Regular-Expression/m-p/707623#M10366 richgalloway 2024-12-27T12:49:29Z https://community.splunk.com/t5/Knowledge-Management/Regular-Expression/m-p/709204#M10368 <P>I solved the problem using REX&nbsp;</P><LI-CODE lang="markup">(\"|)Rule:\s*(?P&lt;Rule&gt;.*?)(?:(\"))?\</LI-CODE><P>&nbsp;</P> Mon, 20 Jan 2025 07:51:49 GMT https://community.splunk.com/t5/Knowledge-Management/Regular-Expression/m-p/709204#M10368 silverKi 2025-01-20T07:51:49Z