https://community.splunk.com/t5/Splunk-Search/How-to-rex-field-in-unstructured-flat-file-events/m-p/462219#M130279 <P>I am breaking every line in flat file and trying to fetch the field using rex, this is how my events looks like: </P> <P>98000020200512 <STRONG>-992.00</STRONG> 0.00 001 01<BR /> 98000020200523 <STRONG>830566.00</STRONG> 0.00 001 02<BR /> 98000020200515 <STRONG>-7356.00</STRONG> 0.00 001 03<BR /> 98000020200516 <STRONG>-18760.00</STRONG> 0.00 001 04<BR /> 98000020200518 <STRONG>764074.00</STRONG> 0.00 001 05<BR /> 98000020200530 <STRONG>165432.00</STRONG> 0.00 001 06<BR /> 98000020200531 <STRONG>98715.00</STRONG> 0.00 001 07<BR /> 98000020200511 <STRONG>119993.00</STRONG> 0.00 001 08<BR /> 98000020200502 <STRONG>908831.00</STRONG> 0.00 001 09<BR /> 12000020200507 <STRONG>-5481.00</STRONG> 0.00 001 10</P> <P>The bold digits need to be extracted as Amount field, where the values could be a negative or positive amount.</P> Tue, 26 May 2020 10:37:05 GMT jhantuSplunk 2020-05-26T10:37:05Z https://community.splunk.com/t5/Splunk-Search/How-to-rex-field-in-unstructured-flat-file-events/m-p/462219#M130279 <P>I am breaking every line in flat file and trying to fetch the field using rex, this is how my events looks like: </P> <P>98000020200512 <STRONG>-992.00</STRONG> 0.00 001 01<BR /> 98000020200523 <STRONG>830566.00</STRONG> 0.00 001 02<BR /> 98000020200515 <STRONG>-7356.00</STRONG> 0.00 001 03<BR /> 98000020200516 <STRONG>-18760.00</STRONG> 0.00 001 04<BR /> 98000020200518 <STRONG>764074.00</STRONG> 0.00 001 05<BR /> 98000020200530 <STRONG>165432.00</STRONG> 0.00 001 06<BR /> 98000020200531 <STRONG>98715.00</STRONG> 0.00 001 07<BR /> 98000020200511 <STRONG>119993.00</STRONG> 0.00 001 08<BR /> 98000020200502 <STRONG>908831.00</STRONG> 0.00 001 09<BR /> 12000020200507 <STRONG>-5481.00</STRONG> 0.00 001 10</P> <P>The bold digits need to be extracted as Amount field, where the values could be a negative or positive amount.</P> Tue, 26 May 2020 10:37:05 GMT https://community.splunk.com/t5/Splunk-Search/How-to-rex-field-in-unstructured-flat-file-events/m-p/462219#M130279 jhantuSplunk 2020-05-26T10:37:05Z https://community.splunk.com/t5/Splunk-Search/How-to-rex-field-in-unstructured-flat-file-events/m-p/462220#M130280 <P>Hi @jhantuSplunk,<BR /> try this regex</P> <PRE><CODE>^\d+\s+(?&lt;Amount&gt;[^ ]+) </CODE></PRE> <P>that you can test at <A href="https://regex101.com/r/F24fG0/1">https://regex101.com/r/F24fG0/1</A></P> <P>Ciao.<BR /> Giuseppe</P> Tue, 26 May 2020 16:21:58 GMT https://community.splunk.com/t5/Splunk-Search/How-to-rex-field-in-unstructured-flat-file-events/m-p/462220#M130280 gcusello 2020-05-26T16:21:58Z https://community.splunk.com/t5/Splunk-Search/How-to-rex-field-in-unstructured-flat-file-events/m-p/462221#M130281 <P>Hi</P> <P>Try this</P> <PRE><CODE>| makeresults | eval temp="98000020200512 -992.00 0.00 001 01, 98000020200523 830566.00 0.00 001 02, 98000020200515 -7356.00 0.00 001 03, 98000020200516 -18760.00 0.00 001 04, 98000020200518 764074.00 0.00 001 05, 98000020200530 165432.00 0.00 001 06, 98000020200531 98715.00 0.00 001 07, 98000020200511 119993.00 0.00 001 08, 98000020200502 908831.00 0.00 001 09, 12000020200507 -5481.00 0.00 001 10" | makemv delim="," temp | mvexpand temp | eval result= mvindex(split(temp," "),1) | table result </CODE></PRE> Wed, 27 May 2020 02:46:42 GMT https://community.splunk.com/t5/Splunk-Search/How-to-rex-field-in-unstructured-flat-file-events/m-p/462221#M130281 vnravikumar 2020-05-27T02:46:42Z https://community.splunk.com/t5/Splunk-Search/How-to-rex-field-in-unstructured-flat-file-events/m-p/462222#M130282 <P>props.conf</P> <PRE><CODE>TIME_PREFIX = \d{6} TIME_FORMAT = %Y%m%d SHOULD_LINEMERGE = false EXTRACT-unst = ^\d+\s+(?&lt;Amount&gt;[^ ]+)\s+(?&lt;fieldA&gt;[^ ]+)\s+(?&lt;fieldB&gt;[^ ]+)\s+(?&lt;fieldC&gt;[^ ]+) </CODE></PRE> Wed, 27 May 2020 08:26:23 GMT https://community.splunk.com/t5/Splunk-Search/How-to-rex-field-in-unstructured-flat-file-events/m-p/462222#M130282 to4kawa 2020-05-27T08:26:23Z