https://community.splunk.com/t5/Splunk-Search/REGEX-Help/m-p/461828#M130203 <P>Hi<BR /> try this regex</P> <PRE><CODE>^[^\]]*\]\s+\[(?&lt;my_field&gt;[^\]]*) </CODE></PRE> <P>that you can test at <A href="https://regex101.com/r/GCtXSM/1/">https://regex101.com/r/GCtXSM/1/</A></P> <P>Ciao.<BR /> Giuseppe</P> Wed, 16 Oct 2019 16:17:23 GMT gcusello 2019-10-16T16:17:23Z https://community.splunk.com/t5/Splunk-Search/REGEX-Help/m-p/461826#M130201 <P>Trying to pull the value from the 2nd set of brackets [ ] from this log. Some of the data values are blank, some start with a "/" and some are just text/numbers. Struggling to set regex to get the value between the brackets, regardless of what data is in there.</P> <P>HELP? Thank You!</P> <PRE><CODE>2019-10-14 10:25:30,860 [0.16.132.114:8443-78] [/microdc_1] 2019-10-14 10:25:30,854 [0.16.132.114:8443-78] [/microdc_1] 2019-10-14 10:25:30,813 [0.16.132.114:8443-78] [/microdc_1] 2019-10-14 10:25:30,526 [10.16.142.94:8443-75] [TABTHREAD1] 2019-10-14 10:25:30,514 [.16.132.111:8443-146] [/microdc_1] 2019-10-14 10:25:30,467 [.16.136.140:8443-123] [/microdc_2] 2019-10-14 10:25:30,466 [.16.136.140:8443-123] [/microdc_2] 2019-10-14 10:25:30,103 [.16.132.111:8443-146] [/microdc_1] 2019-10-14 10:25:30,097 [.16.132.111:8443-146] [/microdc_1] 2019-10-14 10:25:30,078 [.16.132.111:8443-146] [/microdc_1] 2019-10-14 10:25:29,888 [.16.134.114:8443-128] [/microdc_1] 2019-10-14 10:25:29,883 [.16.134.114:8443-128] [/microdc_1] 2019-10-14 10:25:29,865 [.16.134.114:8443-128] [/microdc_1] 2019-10-14 10:25:29,638 [0.16.130.100:8443-71] [TABTHREAD1] 2019-10-14 10:25:29,594 [10.16.142.97:8443-80] [TABTHREAD2] 2019-10-14 10:25:29,594 [10.16.142.97:8443-80] [TABTHREAD2] 2019-10-14 10:25:29,502 [.16.130.104:8443-144] [TABTHREAD1] 2019-10-14 10:25:29,462 [0.16.134.106:8443-59] [ ] 2019-10-14 10:25:29,337 [0.16.130.100:8443-47] [TABTHREAD1] 2019-10-14 10:25:29,270 [0.16.134.106:8443-59] [TABTHREAD1] </CODE></PRE> Wed, 16 Oct 2019 16:10:34 GMT https://community.splunk.com/t5/Splunk-Search/REGEX-Help/m-p/461826#M130201 joesrepsolc 2019-10-16T16:10:34Z https://community.splunk.com/t5/Splunk-Search/REGEX-Help/m-p/461827#M130202 <P>try this :</P> <PRE><CODE>&lt;your_index&gt; | rex field=_raw "\-\d+\]\s+\[(?&lt;Field&gt;[^\]]+)\]" </CODE></PRE> <P>let me know if this helps!</P> Wed, 16 Oct 2019 16:16:45 GMT https://community.splunk.com/t5/Splunk-Search/REGEX-Help/m-p/461827#M130202 mayurr98 2019-10-16T16:16:45Z https://community.splunk.com/t5/Splunk-Search/REGEX-Help/m-p/461828#M130203 <P>Hi<BR /> try this regex</P> <PRE><CODE>^[^\]]*\]\s+\[(?&lt;my_field&gt;[^\]]*) </CODE></PRE> <P>that you can test at <A href="https://regex101.com/r/GCtXSM/1/">https://regex101.com/r/GCtXSM/1/</A></P> <P>Ciao.<BR /> Giuseppe</P> Wed, 16 Oct 2019 16:17:23 GMT https://community.splunk.com/t5/Splunk-Search/REGEX-Help/m-p/461828#M130203 gcusello 2019-10-16T16:17:23Z https://community.splunk.com/t5/Splunk-Search/REGEX-Help/m-p/461829#M130204 <P>Try this </P> <P><CODE>]\s(\[\/|\[)(?&lt;test&gt;[^\]]+)]</CODE></P> <P>Thanks <BR /> Anantha.</P> Wed, 16 Oct 2019 16:24:57 GMT https://community.splunk.com/t5/Splunk-Search/REGEX-Help/m-p/461829#M130204 Anantha123 2019-10-16T16:24:57Z