https://community.splunk.com/t5/Splunk-Search/How-to-create-a-regex-to-extract-data/m-p/453209#M128275 <P>Hi @pruthvikrishnapolavarapu</P> <P>your regex is correct but in Splunk syntax is different and there should be at least one name group to identify what the regex is extracting.</P> <P>your regex throws below error:</P> <P>Error in 'rex' command: The regex '[(.*)SFP' does not extract anything. It should specify at least one named group. Format: (?...).</P> Sat, 21 Jul 2018 12:32:29 GMT thambisetty 2018-07-21T12:32:29Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-regex-to-extract-data/m-p/453206#M128272 <P>I am new to Regex and hopefully someone can help me. I am trying to extract data between "[" and "SFP". It doesn't matter what the data is or length of the extract as it varies.</P> <P>example 1: Jul 1 13:10:07 -07:00 HOSTNAME [MIC(0/2) link 0 SFP laser bias current high warning set ]<BR /> example 2: Jul 10 16:08:20 -04:00 HOSTNAME [sfp-1/0/2 link 2 SFP laser bias current high warning set ]</P> <P>Thanks!</P> Fri, 20 Jul 2018 15:02:19 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-regex-to-extract-data/m-p/453206#M128272 donemery 2018-07-20T15:02:19Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-regex-to-extract-data/m-p/453207#M128273 <P>| rex "\[(?&lt;my_field&gt;.*)SFP"</P> Fri, 20 Jul 2018 15:18:58 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-regex-to-extract-data/m-p/453207#M128273 pradeepkumarg 2018-07-20T15:18:58Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-regex-to-extract-data/m-p/453208#M128274 <PRE><CODE>(?&lt;=\[)(.*)(?= SFP) </CODE></PRE> Fri, 20 Jul 2018 22:36:49 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-regex-to-extract-data/m-p/453208#M128274 pruthvikrishnap 2018-07-20T22:36:49Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-regex-to-extract-data/m-p/453209#M128275 <P>Hi @pruthvikrishnapolavarapu</P> <P>your regex is correct but in Splunk syntax is different and there should be at least one name group to identify what the regex is extracting.</P> <P>your regex throws below error:</P> <P>Error in 'rex' command: The regex '[(.*)SFP' does not extract anything. It should specify at least one named group. Format: (?...).</P> Sat, 21 Jul 2018 12:32:29 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-regex-to-extract-data/m-p/453209#M128275 thambisetty 2018-07-21T12:32:29Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-regex-to-extract-data/m-p/453210#M128276 <P>Hi @donemery</P> <P>Try something like below it trims space also after 0 and before SFP. using * is not recommended:</P> <PRE><CODE>| rex field=_raw "\[(?&lt;my_field&gt;[^SFP]+)\s" </CODE></PRE> <P>The problem with * is that it will match until last occurrence of match. for example if there are two SFP(may not be in this case in general I am talking about) in log like below</P> <P>Jul 1 13:10:07 -07:00 HOSTNAME [MIC(0/2) link 0 <STRONG>SFP</STRONG> laser bias current high warning set <STRONG>SFP</STRONG></P> <P>result of using * is below:</P> <P>MIC(0/2) link 0 SFP laser bias current high warning set</P> Sat, 21 Jul 2018 12:55:38 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-regex-to-extract-data/m-p/453210#M128276 thambisetty 2018-07-21T12:55:38Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-regex-to-extract-data/m-p/453211#M128277 <P>Like this</P> <PRE><CODE>| rex "\[(?&lt;FieldNameHere&gt;.*?)SFP" </CODE></PRE> Sat, 21 Jul 2018 17:35:12 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-regex-to-extract-data/m-p/453211#M128277 woodcock 2018-07-21T17:35:12Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-regex-to-extract-data/m-p/453212#M128278 <P>Something like <CODE>.*\[(?&lt;ext&gt;.*)SFP.*</CODE> -</P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/5409iA3CA309462CF2475/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> Sun, 22 Jul 2018 01:11:17 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-regex-to-extract-data/m-p/453212#M128278 ddrillic 2018-07-22T01:11:17Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-regex-to-extract-data/m-p/453213#M128279 <P>Thanks for your help! One more question if I may, how would I check for XFP or SFP in a message. The format would be identical, just the first letter could be "X" or "S". It will always be capitalized.</P> <P>Thanks!</P> Mon, 23 Jul 2018 14:57:25 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-regex-to-extract-data/m-p/453213#M128279 donemery 2018-07-23T14:57:25Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-regex-to-extract-data/m-p/453214#M128280 <PRE><CODE>| rex field=_raw "\[(?&lt;my_field&gt;.+)(SFP|XFP)" </CODE></PRE> <P>Also, I recommend that you play around with your regexes on regex101.com</P> Wed, 25 Jul 2018 20:53:32 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-regex-to-extract-data/m-p/453214#M128280 cstump_splunk 2018-07-25T20:53:32Z