https://community.splunk.com/t5/Splunk-Search/I-have-a-problem-in-creating-regex-for-below-expression/m-p/377113#M110654 <P>If you want to extract the field inline in the search, the regular expression from first option (EXTRACT-fields) in your <CODE>rex</CODE> command.</P> Tue, 08 May 2018 16:47:48 GMT somesoni2 2018-05-08T16:47:48Z https://community.splunk.com/t5/Splunk-Search/I-have-a-problem-in-creating-regex-for-below-expression/m-p/377110#M110651 <P>expression:<BR /> 2018-02-2008:13:44|ABC1034|Sumit Martin|0|147707|Amit|SURESH||19490616|M|2030 SQ 16 PERRA|ABC E-212|INDIA|FL|33125|7863174200|Tiger|Transportation|Created|</P> <P>I have created regex for extracting threefields but not able figure out how to write for other fields.You can assign any name for fields.<BR /> Below is my regex:<BR /> (?timestamp(\d{4})-(\d{2})-(\d{4}):(\d{2}):(\d{2}))|(?id([A-Z]{3}\d{4}))|(?contact(\d{10}))</P> <P>After the ? ,there is &lt; timestamp and after field name &gt;. Splunk editor is not allowing me to add that .eg:- &lt; timestamp "&gt;"<BR /> Don't keep double quotes.</P> <P>Thanks.</P> Tue, 08 May 2018 16:30:31 GMT https://community.splunk.com/t5/Splunk-Search/I-have-a-problem-in-creating-regex-for-below-expression/m-p/377110#M110651 pal_sumit1 2018-05-08T16:30:31Z https://community.splunk.com/t5/Splunk-Search/I-have-a-problem-in-creating-regex-for-below-expression/m-p/377111#M110652 <P>Try this (they pipe separated values so regex doing the same, dummy field names are used here, update per your data and it's sequencing in the data)</P> <PRE><CODE>###props.conf on Search Head [yourSourceType] EXTRACT-fields = ^(?&lt;Timestamp&gt;[^\|]+)\|(?&lt;field1&gt;[^\|]+)\|(?&lt;field2&gt;[^\|]+)\|(?&lt;field3&gt;[^\|]+)\|(?&lt;field4&gt;[^\|]+)\|(?&lt;field5&gt;[^\|]+)\|(?&lt;field5&gt;[^\|]+)\|(?&lt;field1&gt;[^\|]+)\|(?&lt;field1&gt;[^\|]+)\|(?&lt;Timestamp&gt;[^\|]+)\|(?&lt;field1&gt;[^\|]+)\|(?&lt;field1&gt;[^\|]+)\|(?&lt;field1&gt;[^\|]+)\|(?&lt;field1&gt;[^\|]+)\|(?&lt;field1&gt;[^\|]+)\|(?&lt;field1&gt;[^\|]+)\|(?&lt;field1&gt;[^\|]+)\|(?&lt;field1&gt;[^\|]+)\| </CODE></PRE> <P>OR (props.conf and transforms.conf on Search Head)</P> <PRE><CODE>###props.conf on Search Head [yourSourceType] REPORT-fields = psv_fields_for_yourSourceType ###transforms.conf on Search head [psv_fields_for_yourSourceType] DELIMS = "|" FIELDS = "timestamp", "field1", "field2",...comma separated list of all fields.. </CODE></PRE> Tue, 08 May 2018 16:47:04 GMT https://community.splunk.com/t5/Splunk-Search/I-have-a-problem-in-creating-regex-for-below-expression/m-p/377111#M110652 somesoni2 2018-05-08T16:47:04Z https://community.splunk.com/t5/Splunk-Search/I-have-a-problem-in-creating-regex-for-below-expression/m-p/377112#M110653 <P>Hello, could you provide a sample event? </P> Tue, 08 May 2018 16:47:48 GMT https://community.splunk.com/t5/Splunk-Search/I-have-a-problem-in-creating-regex-for-below-expression/m-p/377112#M110653 jodyfsu 2018-05-08T16:47:48Z https://community.splunk.com/t5/Splunk-Search/I-have-a-problem-in-creating-regex-for-below-expression/m-p/377113#M110654 <P>If you want to extract the field inline in the search, the regular expression from first option (EXTRACT-fields) in your <CODE>rex</CODE> command.</P> Tue, 08 May 2018 16:47:48 GMT https://community.splunk.com/t5/Splunk-Search/I-have-a-problem-in-creating-regex-for-below-expression/m-p/377113#M110654 somesoni2 2018-05-08T16:47:48Z