https://community.splunk.com/t5/Alerting/field-extraction/m-p/567163#M13021 <P>Can you provide your search and an exact replica of your data. If that rex statement does not work in your environment, then the data you provided in your original post is not the same as the data in your search.</P><P>&nbsp;</P> Wed, 15 Sep 2021 22:19:15 GMT bowesmana 2021-09-15T22:19:15Z https://community.splunk.com/t5/Alerting/field-extraction/m-p/567036#M13009 <P>I have the following log<BR /><BR /><BR /><SPAN>!!! --</SPAN><SPAN class="t">-</SPAN> <SPAN class="t">HUB</SPAN> <SPAN class="t"><FONT color="#FF0000">ctxsdc1cvdi013.za.sbicdirectory.com</FONT>:443</SPAN> <FONT color="#00FF00"><SPAN class="t">is</SPAN> <SPAN class="t">unavailable</SPAN></FONT><SPAN> --</SPAN><SPAN class="t">-</SPAN><SPAN> !!! </SPAN><SPAN class="t">user=</SPAN><SPAN>'</SPAN><SPAN class="t">molefe_user</SPAN><SPAN>' </SPAN><SPAN class="t">password=</SPAN><SPAN>'</SPAN><FONT color="#0000FF"><SPAN class="t">molefe</SPAN></FONT><SPAN>' </SPAN><SPAN class="t">quota=</SPAN><SPAN>'</SPAN><SPAN class="t">user</SPAN><SPAN>' </SPAN><SPAN class="t">host=</SPAN><SPAN>'</SPAN><SPAN class="t">002329bvpc123cw.branches.sbicdirectory.com</SPAN><SPAN>' </SPAN><SPAN class="t">port=</SPAN><SPAN>'</SPAN><SPAN class="t">443</SPAN><SPAN>' </SPAN><SPAN class="t">count=</SPAN><SPAN>'</SPAN><SPAN class="t">1</SPAN><SPAN>' !!! --</SPAN><SPAN class="t">-</SPAN> <SPAN class="t">HUB</SPAN> <SPAN class="t">002329bvpc123cw.branches.sbicdirectory.com:443</SPAN> <SPAN class="t">is</SPAN> <SPAN class="t">unavailable</SPAN><SPAN> --</SPAN><SPAN class="t">-</SPAN><SPAN> !!! </SPAN><SPAN class="t">host=</SPAN><SPAN>'</SPAN><SPAN class="t"><SPAN class="t h">005558bvpc5ce4w.za.sbicdirectory</SPAN>.com</SPAN><SPAN>' </SPAN><SPAN class="t">port=</SPAN><SPAN>'</SPAN><SPAN class="t">443</SPAN><SPAN>' </SPAN><SPAN class="t">count=</SPAN><SPAN>'</SPAN><SPAN class="t">1</SPAN><SPAN>' !!! --</SPAN><SPAN class="t">-</SPAN> <SPAN class="t">HUB</SPAN> <SPAN class="t">005558bvpc5ce4w.za.sbicdirectory.com:443</SPAN> <SPAN class="t">is</SPAN> <SPAN class="t">unavailable</SPAN><SPAN> --</SPAN><SPAN class="t">-</SPAN><SPAN> !!! </SPAN><SPAN class="t">host=</SPAN><SPAN>'</SPAN><SPAN class="t">41360jnbpbb758w.za.sbicdirectory.com</SPAN><SPAN>' </SPAN><SPAN class="t">port=</SPAN><SPAN>'</SPAN><SPAN class="t">443</SPAN><SPAN>' </SPAN><SPAN class="t">count=</SPAN><SPAN>'</SPAN><SPAN class="t">1</SPAN><SPAN>' !!! --</SPAN><SPAN class="t">-</SPAN> <SPAN class="t">HUB</SPAN> <SPAN class="t">41360jnbpbb758w.za.sbicdirectory.com:443</SPAN> <SPAN class="t">is</SPAN> <SPAN class="t">unavailable</SPAN><SPAN> --</SPAN><SPAN class="t">-</SPAN><SPAN> !!! </SPAN><SPAN class="t">host=</SPAN><SPAN>'</SPAN><SPAN class="t">48149jnbpbb041w.za.sbicdirectory.com</SPAN><SPAN>' </SPAN><SPAN class="t">port=</SPAN><SPAN>'</SPAN><SPAN class="t">443</SPAN><SPAN>' </SPAN><SPAN class="t">count=</SPAN><SPAN>'</SPAN><SPAN class="t">1</SPAN><SPAN>' !!! --</SPAN><SPAN class="t">-</SPAN> <SPAN class="t">HUB</SPAN> <SPAN class="t">48149jnbpbb041w.za.sbicdirectory.com:443</SPAN> <SPAN class="t">is</SPAN> <SPAN class="t">unavailable</SPAN><SPAN> --</SPAN><SPAN class="t">-</SPAN><SPAN> !!! </SPAN><SPAN class="t">user=</SPAN><SPAN>'</SPAN><SPAN class="t">pips_lvl_one_user</SPAN><SPAN>' </SPAN><SPAN class="t">password=</SPAN><SPAN>'</SPAN><SPAN class="t">pips_lvl_one</SPAN><SPAN>' </SPAN><SPAN class="t">quota=</SPAN><SPAN>'</SPAN><SPAN class="t">user</SPAN><SPAN>'</SPAN></P><P>&nbsp;</P><P><SPAN>I have above log and I'm struggling to extract the colored items<BR /><SPAN class="t"><FONT color="#FF0000">ctxsdc1cvdi013.za.sbicdirectory.com = as workstation ID</FONT></SPAN><BR /></SPAN><SPAN><SPAN class="t"><FONT color="#FF0000"><FONT color="#00FF00">is unavailable = as&nbsp; status<BR /><FONT color="#0000FF">molefe = as quota</FONT><BR /></FONT></FONT></SPAN></SPAN></P> Tue, 14 Sep 2021 22:37:17 GMT https://community.splunk.com/t5/Alerting/field-extraction/m-p/567036#M13009 sphiwee 2021-09-14T22:37:17Z https://community.splunk.com/t5/Alerting/field-extraction/m-p/567038#M13010 <P>Run this search and check the rex statement</P><LI-CODE lang="markup">| makeresults | eval _raw="!!! --- HUB ctxsdc1cvdi013.za.sbicdirectory.com:443 is unavailable --- !!! user='molefe_user' password='molefe' quota='user' host='002329bvpc123cw.branches.sbicdirectory.com' port='443' count='1' !!! --- HUB 002329bvpc123cw.branches.sbicdirectory.com:443 is unavailable --- !!! host='005558bvpc5ce4w.za.sbicdirectory.com' port='443' count='1' !!! --- HUB 005558bvpc5ce4w.za.sbicdirectory.com:443 is unavailable --- !!! host='41360jnbpbb758w.za.sbicdirectory.com' port='443' count='1' !!! --- HUB 41360jnbpbb758w.za.sbicdirectory.com:443 is unavailable --- !!! host='48149jnbpbb041w.za.sbicdirectory.com' port='443' count='1' !!! --- HUB 48149jnbpbb041w.za.sbicdirectory.com:443 is unavailable --- !!! user='pips_lvl_one_user' password='pips_lvl_one' quota='user'" | rex "!!! --- HUB (?&lt;workstationId&gt;[^:]*):\d+\s(?&lt;status&gt;[^-]*).*?password='(?&lt;quota&gt;[^']*)"</LI-CODE><P>However, did you want the password molefe to be the quota?</P><P>Also, this was posted as a single line log message and you only wanted those 3 fields - was that correct - the rex statement will get those.</P><P>However, it assumes the :port number will always be present. regex would need to change if that's not the case.</P><P>&nbsp;</P> Tue, 14 Sep 2021 22:49:04 GMT https://community.splunk.com/t5/Alerting/field-extraction/m-p/567038#M13010 bowesmana 2021-09-14T22:49:04Z https://community.splunk.com/t5/Alerting/field-extraction/m-p/567062#M13012 <P>Hi the port will always be the same, however when I run this regex command in my search it doesnt extract anything<BR /><BR /></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="sphiwee_0-1631690245103.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/15988i2E72EF8BF878DF9F/image-size/medium?v=v2&amp;px=400" role="button" title="sphiwee_0-1631690245103.png" alt="sphiwee_0-1631690245103.png" /></span></P><P>&nbsp;</P><P>&nbsp;</P><P>Quota I think it was extracted automatically and its wrong hence I wanted the regex way</P> Wed, 15 Sep 2021 07:18:20 GMT https://community.splunk.com/t5/Alerting/field-extraction/m-p/567062#M13012 sphiwee 2021-09-15T07:18:20Z https://community.splunk.com/t5/Alerting/field-extraction/m-p/567089#M13013 <P>Can I also get the results of your search</P> Wed, 15 Sep 2021 09:28:59 GMT https://community.splunk.com/t5/Alerting/field-extraction/m-p/567089#M13013 sphiwee 2021-09-15T09:28:59Z https://community.splunk.com/t5/Alerting/field-extraction/m-p/567163#M13021 <P>Can you provide your search and an exact replica of your data. If that rex statement does not work in your environment, then the data you provided in your original post is not the same as the data in your search.</P><P>&nbsp;</P> Wed, 15 Sep 2021 22:19:15 GMT https://community.splunk.com/t5/Alerting/field-extraction/m-p/567163#M13021 bowesmana 2021-09-15T22:19:15Z