https://community.splunk.com/t5/Splunk-Search/Help-with-regex-with-two-different-type-events/m-p/472836#M133089 <P>Hi vrmandadi,<BR /> you could try to use two regexes to extract fields:</P> <PRE><CODE>| rex "EDT\s\d*\s(?&lt;USERNAME&gt;[^\s]+)\s*(?&lt;STATUS&gt;.*)\s+(?&lt;ROLE&gt;[^ ]+)$" | rex field=STATUS "(?&lt;STATUS1&gt;.*)\s+(?&lt;expity_date&gt;\d+-\w+-\d+)" | eval STATUS=coalesce(STATUS1, STATUS) </CODE></PRE> <P>The second regex runs with events with expiry date and the second one with events without it.<BR /> You can test the first regex in <A href="https://regex101.com/r/oNrmd0/1">https://regex101.com/r/oNrmd0/1</A> and the second one in <A href="https://regex101.com/r/oNrmd0/2">https://regex101.com/r/oNrmd0/2</A></P> <P>Bye.<BR /> Giuseppe</P> Thu, 05 Sep 2019 14:37:31 GMT gcusello 2019-09-05T14:37:31Z https://community.splunk.com/t5/Splunk-Search/Help-with-regex-with-two-different-type-events/m-p/472833#M133086 <P>Hello I have the below sample events <BR /> Thu Sep 5 10:00:02 EDT 2019 XDB EXPIRED &amp; LOCKED 28-SEP-11 CTXAPP</P> <P>Thu Sep 5 10:00:02 EDT 2019 VWEinsnte3345 LOCKED GPW_READ<BR /> Thu Sep 5 10:00:02 EDT 2019 SK_RYT LOCKED(TIMED) CDS_SELECT_ALL</P> <P>I want to extract XDB , VWEinsnte3345 ,SK_RYT AS USERNAME and EXPIRED &amp; LOCKED , LOCKED , LOCKED(TIMED) as status , 28-SEP-11 as expiry date(this field is not there for all events) and CTXAPP , GPW_READ , CDS_SELECT_ALL as ROLE </P> <P>Below is the regex I am using but this is only extracting for event 2 </P> <PRE><CODE>EDT\s\d*\s(?&lt;USERNAME&gt;[^\s]+)\s*(?&lt;STATUS&gt;[^ ]+)\s*(?&lt;ROLE&gt;[^ ]+) </CODE></PRE> <P>Thanks in advance </P> Wed, 30 Sep 2020 02:04:50 GMT https://community.splunk.com/t5/Splunk-Search/Help-with-regex-with-two-different-type-events/m-p/472833#M133086 vrmandadi 2020-09-30T02:04:50Z https://community.splunk.com/t5/Splunk-Search/Help-with-regex-with-two-different-type-events/m-p/472834#M133087 <P>Try this</P> <PRE><CODE>EDT\s\d*\s(?&lt;USERNAME&gt;[^\s]+)\s*(?&lt;STATUS&gt;\w+( &amp; \w+)?)\s*(?&lt;EXPIRY&gt;\d+-[A-Z]+-\d+)?\s*(?&lt;ROLE&gt;[A-Za-z0-9_-]+) </CODE></PRE> <P>regex101.com is your friend.</P> <P><A href="https://regex101.com/r/ojcpz7/1">https://regex101.com/r/ojcpz7/1</A></P> Thu, 05 Sep 2019 14:27:48 GMT https://community.splunk.com/t5/Splunk-Search/Help-with-regex-with-two-different-type-events/m-p/472834#M133087 DalJeanis 2019-09-05T14:27:48Z https://community.splunk.com/t5/Splunk-Search/Help-with-regex-with-two-different-type-events/m-p/472835#M133088 <P>Hello @DalJeanis I tried your regex but it did not work .I did try that in regex101 but it is not capturing everything for EXPIRY the values are 28-SEP-1 and ROLE has 1 which should be 28-SEP-11 and CTXAPP respectively .<BR /> The same with event 2 the status has value LOCKE and ROLE has D </P> Thu, 05 Sep 2019 14:35:01 GMT https://community.splunk.com/t5/Splunk-Search/Help-with-regex-with-two-different-type-events/m-p/472835#M133088 vrmandadi 2019-09-05T14:35:01Z https://community.splunk.com/t5/Splunk-Search/Help-with-regex-with-two-different-type-events/m-p/472836#M133089 <P>Hi vrmandadi,<BR /> you could try to use two regexes to extract fields:</P> <PRE><CODE>| rex "EDT\s\d*\s(?&lt;USERNAME&gt;[^\s]+)\s*(?&lt;STATUS&gt;.*)\s+(?&lt;ROLE&gt;[^ ]+)$" | rex field=STATUS "(?&lt;STATUS1&gt;.*)\s+(?&lt;expity_date&gt;\d+-\w+-\d+)" | eval STATUS=coalesce(STATUS1, STATUS) </CODE></PRE> <P>The second regex runs with events with expiry date and the second one with events without it.<BR /> You can test the first regex in <A href="https://regex101.com/r/oNrmd0/1">https://regex101.com/r/oNrmd0/1</A> and the second one in <A href="https://regex101.com/r/oNrmd0/2">https://regex101.com/r/oNrmd0/2</A></P> <P>Bye.<BR /> Giuseppe</P> Thu, 05 Sep 2019 14:37:31 GMT https://community.splunk.com/t5/Splunk-Search/Help-with-regex-with-two-different-type-events/m-p/472836#M133089 gcusello 2019-09-05T14:37:31Z https://community.splunk.com/t5/Splunk-Search/Help-with-regex-with-two-different-type-events/m-p/472837#M133090 <P>is that your entire event? if not then could pls share the entire event?</P> Thu, 05 Sep 2019 15:25:37 GMT https://community.splunk.com/t5/Splunk-Search/Help-with-regex-with-two-different-type-events/m-p/472837#M133090 mayurr98 2019-09-05T15:25:37Z https://community.splunk.com/t5/Splunk-Search/Help-with-regex-with-two-different-type-events/m-p/472838#M133091 <P>Thanks Much</P> Fri, 06 Sep 2019 17:45:48 GMT https://community.splunk.com/t5/Splunk-Search/Help-with-regex-with-two-different-type-events/m-p/472838#M133091 vrmandadi 2019-09-06T17:45:48Z