https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-field-using-rex-that-may-or-may-not-be-present/m-p/359240#M106205 <P>thanks @cpetterborg. So with <CODE>?</CODE> instead of <CODE>*</CODE> will improve performance in this case..updated the answer.</P> Wed, 07 Feb 2018 13:50:28 GMT 493669 2018-02-07T13:50:28Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-field-using-rex-that-may-or-may-not-be-present/m-p/359236#M106201 <P>Consider I am having two string - <CODE>"YY02State"</CODE> and <CODE>"Y02State"</CODE></P> <P>In the above strings, I have to extract the fields like:<BR /> Y - <CODE>IsStateLegal</CODE><BR /> Y - <CODE>IsStateSafe</CODE><BR /> 02 - <CODE>StateId</CODE><BR /> State - <CODE>NameOfState</CODE></P> <P>There might be instances when the <CODE>IsStateSafe</CODE> field is not available in the log entry, like it is in the second string <CODE>"Y02State"</CODE>. How can I write rex for this? Please note the other fields will always be available.</P> <P>I tried the following rex, but of no luck.</P> <PRE><CODE>(?&lt;IsStateLegal&gt;\w{1})(?&lt;IsStateSafe&gt;\w*.{1})(?&lt;StateId&gt;d{2})(?&lt;NameOfState&gt;\w*) </CODE></PRE> <P>Please suggest a solution for this.</P> Wed, 07 Feb 2018 06:00:46 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-field-using-rex-that-may-or-may-not-be-present/m-p/359236#M106201 Naren26 2018-02-07T06:00:46Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-field-using-rex-that-may-or-may-not-be-present/m-p/359237#M106202 <P>Try this run anywhere search:</P> <PRE><CODE> |makeresults|eval _raw="Y02State"|rex "(?&lt;IsStateLegal&gt;\w{1})(?&lt;IsStateSafe&gt;\w)?(?&lt;StateId&gt;\d{2})(?&lt;NameOfState&gt;\w+)" </CODE></PRE> Wed, 07 Feb 2018 06:07:10 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-field-using-rex-that-may-or-may-not-be-present/m-p/359237#M106202 493669 2018-02-07T06:07:10Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-field-using-rex-that-may-or-may-not-be-present/m-p/359238#M106203 <P>hey @Naren26,</P> <P>Try this run anywhere search</P> <PRE><CODE>| makeresults | eval raw="YY02State Y02State N32State YN02State" | makemv raw | mvexpand raw | rex field=raw "(?&lt;IsStateLegal&gt;[A-Za-z])(?&lt;IsStateSafe&gt;[^\d]*)(?&lt;StateId&gt;\d{2})(?&lt;NameOfState&gt;\S+)" </CODE></PRE> <P>In your environment, you should write</P> <PRE><CODE>| rex field=_raw "(?&lt;IsStateLegal&gt;[A-Za-z])(?&lt;IsStateSafe&gt;[^\d]*)(?&lt;StateId&gt;\d{2})(?&lt;NameOfState&gt;\S+)" </CODE></PRE> <P>let me know if this helps!</P> Wed, 07 Feb 2018 06:47:51 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-field-using-rex-that-may-or-may-not-be-present/m-p/359238#M106203 mayurr98 2018-02-07T06:47:51Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-field-using-rex-that-may-or-may-not-be-present/m-p/359239#M106204 <PRE><CODE>|makeresults|eval _raw="Y02State"|rex "(?&lt;IsStateLegal&gt;\w{1})(?&lt;IsStateSafe&gt;\w)?(?&lt;StateId&gt;\d{2})(?&lt;NameOfState&gt;\w+)" </CODE></PRE> <P>This will result in half the number of steps required to match. The greedy * makes it work twice as much in this case.</P> Wed, 07 Feb 2018 12:54:00 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-field-using-rex-that-may-or-may-not-be-present/m-p/359239#M106204 cpetterborg 2018-02-07T12:54:00Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-field-using-rex-that-may-or-may-not-be-present/m-p/359240#M106205 <P>thanks @cpetterborg. So with <CODE>?</CODE> instead of <CODE>*</CODE> will improve performance in this case..updated the answer.</P> Wed, 07 Feb 2018 13:50:28 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-field-using-rex-that-may-or-may-not-be-present/m-p/359240#M106205 493669 2018-02-07T13:50:28Z