https://community.splunk.com/t5/Splunk-Search/rex-pattern-to-create-a-field/m-p/390446#M113722 <P>the whole string looks like this</P> <P>I 2019-05-23 22:27:15.886Z 5960 1712 <STRONG>XOceMpk7Ph@Lna20eJwxXwAAAAU</STRONG> 1@43465473@A WPB-Log: file=/users/source/testr.cls method=testmethod ID= ok=1 ProcessedBankTxnCount=2 TxnRecord=289 NumOfProcessedTxns=1</P> <P>I am using<BR /> rex field=rawdata "^\d+\s(?[^\s]*)\s" | table myField </P> <P>but it does not match anything.</P> <P>Am I missing anything?</P> Fri, 24 May 2019 16:59:11 GMT iamtrying 2019-05-24T16:59:11Z https://community.splunk.com/t5/Splunk-Search/rex-pattern-to-create-a-field/m-p/390443#M113719 <P>Hi,<BR /> I have this string in the log.</P> <P>439 <STRONG>XObk5g6CUI62-gr3UIKfXAAAAAs</STRONG> 1@43465473@A</P> <P>and I want to create a field out the string in the bold.</P> <P>Please mind that <STRONG>439</STRONG> and <STRONG>1@43465473@A</STRONG> are not constant.</P> <P>Thanks for the help!</P> <P>Saurabh</P> Thu, 23 May 2019 23:25:00 GMT https://community.splunk.com/t5/Splunk-Search/rex-pattern-to-create-a-field/m-p/390443#M113719 iamtrying 2019-05-23T23:25:00Z https://community.splunk.com/t5/Splunk-Search/rex-pattern-to-create-a-field/m-p/390444#M113720 <P>Try this</P> <PRE><CODE>| makeresults | fields - _time | eval rawdata="439 XObk5g6CUI62-gr3UIKfXAAAAAs 1@43465473@A" | rex field=rawdata "^\d+\s(?&lt;myField&gt;[^\s]*)\s" </CODE></PRE> <P>More general regex would be:</P> <PRE><CODE>| makeresults | fields - _time | eval rawdata="439 XObk5g6CUI62-gr3UIKfXAAAAAs 1@43465473@A" | rex field=rawdata "^.*?\s(?&lt;myField&gt;[^\s]*)" </CODE></PRE> Fri, 24 May 2019 00:09:41 GMT https://community.splunk.com/t5/Splunk-Search/rex-pattern-to-create-a-field/m-p/390444#M113720 nabeel652 2019-05-24T00:09:41Z https://community.splunk.com/t5/Splunk-Search/rex-pattern-to-create-a-field/m-p/390445#M113721 <P>Hi @iamtrying</P> <P>Try this also</P> <PRE><CODE>| makeresults | eval msg="439 XObk5g6CUI62-gr3UIKfXAAAAAs 1@43465473@A", result = mvindex(split(msg," "),1) </CODE></PRE> Fri, 24 May 2019 06:31:17 GMT https://community.splunk.com/t5/Splunk-Search/rex-pattern-to-create-a-field/m-p/390445#M113721 vnravikumar 2019-05-24T06:31:17Z https://community.splunk.com/t5/Splunk-Search/rex-pattern-to-create-a-field/m-p/390446#M113722 <P>the whole string looks like this</P> <P>I 2019-05-23 22:27:15.886Z 5960 1712 <STRONG>XOceMpk7Ph@Lna20eJwxXwAAAAU</STRONG> 1@43465473@A WPB-Log: file=/users/source/testr.cls method=testmethod ID= ok=1 ProcessedBankTxnCount=2 TxnRecord=289 NumOfProcessedTxns=1</P> <P>I am using<BR /> rex field=rawdata "^\d+\s(?[^\s]*)\s" | table myField </P> <P>but it does not match anything.</P> <P>Am I missing anything?</P> Fri, 24 May 2019 16:59:11 GMT https://community.splunk.com/t5/Splunk-Search/rex-pattern-to-create-a-field/m-p/390446#M113722 iamtrying 2019-05-24T16:59:11Z https://community.splunk.com/t5/Splunk-Search/rex-pattern-to-create-a-field/m-p/390447#M113723 <P>You need to skip time stamp and then few other fields:</P> <P>Use this </P> <PRE><CODE>| makeresults | fields - _time | eval rawdata="I 2019-05-23 22:27:15.886Z 5960 1712 XOceMpk7Ph@Lna20eJwxXwAAAAU 1@43465473@A WPB-Log: file=/users/source/testr.cls method=testmethod ID= ok=1 ProcessedBankTxnCount=2 TxnRecord=289 NumOfProcessedTxns=1" | rex field=rawdata ".*?\s.*?\s.*?\s.*?\s.*?\s(?&lt;myField&gt;[^\s]*)" | table myField </CODE></PRE> Sun, 26 May 2019 08:47:05 GMT https://community.splunk.com/t5/Splunk-Search/rex-pattern-to-create-a-field/m-p/390447#M113723 nabeel652 2019-05-26T08:47:05Z