https://community.splunk.com/t5/Splunk-Search/Regex-help/m-p/462431#M130370 <PRE><CODE> index=main fail2ban.actions sshd | rex "\[(?&lt;jail&gt;[a-z]+)\]" | fields jail </CODE></PRE> <P>regex: <A href="https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Regex">https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Regex</A><BR /> rex: <A href="https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Rex">https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Rex</A></P> <P>what do you want to do? <BR /> <CODE>[</CODE>is meta character.<BR /> your <CODE>| regex _raw="[(?&lt;jail&gt;sshd)]"</CODE> searches the word <CODE>sshd</CODE></P> <P>see following:</P> <PRE><CODE> \ general escape character with several uses ^ assert start of string (or line, in multiline mode) $ assert end of string (or line, in multiline mode) . match any character except newline (by default) [ start character class definition | start of alternative branch ( start subpattern ) end subpattern ? extends the meaning of ( also 0 or 1 quantifier also quantifier minimizer * 0 or more quantifier + 1 or more quantifier also "possessive quantifier" { start min/max quantifier </CODE></PRE> <P><A href="https://www.pcre.org/original/doc/html/pcrepattern.html">https://www.pcre.org/original/doc/html/pcrepattern.html</A></P> Wed, 01 Apr 2020 13:15:47 GMT to4kawa 2020-04-01T13:15:47Z https://community.splunk.com/t5/Splunk-Search/Regex-help/m-p/462427#M130366 <P>I am at a loss as to why the following is not working. <BR /> log:<BR /> 2020-03-31 20:31:19,621 fail2ban.actions [709]: NOTICE [sshd] Unban 156.38.x.x<BR /> Query<BR /> index=main fail2ban.actions | regex _raw="[(?<JAIL>sshd)]" | fields jail<BR /> I have double checked the regular expression with regex101 and "sshd" is captured in group jail. <BR /> Am i missing something?<BR /> Splunk Enterprise 8.0.2.1</JAIL></P> Wed, 01 Apr 2020 02:23:51 GMT https://community.splunk.com/t5/Splunk-Search/Regex-help/m-p/462427#M130366 vlape_SCWX 2020-04-01T02:23:51Z https://community.splunk.com/t5/Splunk-Search/Regex-help/m-p/462428#M130367 <P>For some reason the \ before [ was stripped when posting the question. </P> Wed, 01 Apr 2020 02:25:28 GMT https://community.splunk.com/t5/Splunk-Search/Regex-help/m-p/462428#M130367 vlape_SCWX 2020-04-01T02:25:28Z https://community.splunk.com/t5/Splunk-Search/Regex-help/m-p/462429#M130368 <P>Hi</P> <P>Use Code Sample or press Ctrl +k while posting your query</P> Wed, 01 Apr 2020 05:01:55 GMT https://community.splunk.com/t5/Splunk-Search/Regex-help/m-p/462429#M130368 vnravikumar 2020-04-01T05:01:55Z https://community.splunk.com/t5/Splunk-Search/Regex-help/m-p/462430#M130369 <P>@vlape_SCWX can you try something like the following:</P> <PRE><CODE>index=main fail2ban.actions | rex "\[(?&lt;jail&gt;sshd)\]" | table jail _raw </CODE></PRE> <P>Not sure what you want to pull with hard-coded <CODE>sshd</CODE></P> Wed, 01 Apr 2020 07:19:15 GMT https://community.splunk.com/t5/Splunk-Search/Regex-help/m-p/462430#M130369 niketn 2020-04-01T07:19:15Z https://community.splunk.com/t5/Splunk-Search/Regex-help/m-p/462431#M130370 <PRE><CODE> index=main fail2ban.actions sshd | rex "\[(?&lt;jail&gt;[a-z]+)\]" | fields jail </CODE></PRE> <P>regex: <A href="https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Regex">https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Regex</A><BR /> rex: <A href="https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Rex">https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Rex</A></P> <P>what do you want to do? <BR /> <CODE>[</CODE>is meta character.<BR /> your <CODE>| regex _raw="[(?&lt;jail&gt;sshd)]"</CODE> searches the word <CODE>sshd</CODE></P> <P>see following:</P> <PRE><CODE> \ general escape character with several uses ^ assert start of string (or line, in multiline mode) $ assert end of string (or line, in multiline mode) . match any character except newline (by default) [ start character class definition | start of alternative branch ( start subpattern ) end subpattern ? extends the meaning of ( also 0 or 1 quantifier also quantifier minimizer * 0 or more quantifier + 1 or more quantifier also "possessive quantifier" { start min/max quantifier </CODE></PRE> <P><A href="https://www.pcre.org/original/doc/html/pcrepattern.html">https://www.pcre.org/original/doc/html/pcrepattern.html</A></P> Wed, 01 Apr 2020 13:15:47 GMT https://community.splunk.com/t5/Splunk-Search/Regex-help/m-p/462431#M130370 to4kawa 2020-04-01T13:15:47Z https://community.splunk.com/t5/Splunk-Search/Regex-help/m-p/462432#M130371 <P>That worked! thanks you. Why is it when I search for the exact match it returns nothing?</P> Wed, 01 Apr 2020 17:10:28 GMT https://community.splunk.com/t5/Splunk-Search/Regex-help/m-p/462432#M130371 vlape_SCWX 2020-04-01T17:10:28Z https://community.splunk.com/t5/Splunk-Search/Regex-help/m-p/462433#M130372 <P><CODE>regex</CODE> is search, not field extract command. <BR /> so, field <EM>jail</EM> is missing.</P> Wed, 01 Apr 2020 18:49:30 GMT https://community.splunk.com/t5/Splunk-Search/Regex-help/m-p/462433#M130372 to4kawa 2020-04-01T18:49:30Z