https://community.splunk.com/t5/Splunk-Search/rex-command-help/m-p/478933#M134252 <P>Here's one way.</P> <PRE><CODE>... | rex "(?&lt;field&gt;[^\.]+)" </CODE></PRE> Tue, 25 Feb 2020 13:51:50 GMT richgalloway 2020-02-25T13:51:50Z https://community.splunk.com/t5/Splunk-Search/rex-command-help/m-p/478932#M134251 <P>Hi All,</P> <P><STRONG><EM>my data is like below</EM></STRONG>-- I want to extract when it has string ignore numbers</P> <PRE><CODE>853727-gcplusrspcndb01.usa.corp.ad 10.198.29.5 </CODE></PRE> <P><STRONG>Output:-</STRONG></P> <PRE><CODE>853727-gcplusrspcndb01 10.198.29.5 </CODE></PRE> Tue, 25 Feb 2020 13:33:46 GMT https://community.splunk.com/t5/Splunk-Search/rex-command-help/m-p/478932#M134251 harishalipaka 2020-02-25T13:33:46Z https://community.splunk.com/t5/Splunk-Search/rex-command-help/m-p/478933#M134252 <P>Here's one way.</P> <PRE><CODE>... | rex "(?&lt;field&gt;[^\.]+)" </CODE></PRE> Tue, 25 Feb 2020 13:51:50 GMT https://community.splunk.com/t5/Splunk-Search/rex-command-help/m-p/478933#M134252 richgalloway 2020-02-25T13:51:50Z https://community.splunk.com/t5/Splunk-Search/rex-command-help/m-p/478934#M134253 <P>Hi @harishalipaka,<BR /> try this</P> <PRE><CODE>| rex "^\s+(?&lt;url&gt;[^\.]+).*\s+(?&lt;ip&gt;\d+\.\d+\.\d+\.\d+)" </CODE></PRE> <P>that you can test at <A href="https://regex101.com/r/6axOMx/1">https://regex101.com/r/6axOMx/1</A></P> <P>Ciao.<BR /> Giuseppe</P> Tue, 25 Feb 2020 14:08:05 GMT https://community.splunk.com/t5/Splunk-Search/rex-command-help/m-p/478934#M134253 gcusello 2020-02-25T14:08:05Z https://community.splunk.com/t5/Splunk-Search/rex-command-help/m-p/478935#M134254 <P>Hi @richgalloway</P> <P>I already tried this logic but it will extract like below</P> <PRE><CODE>853727-gcplusrspcndb01 10 </CODE></PRE> <P>But i want like this </P> <PRE><CODE>853727-gcplusrspcndb01 10.198.29.5 </CODE></PRE> Wed, 26 Feb 2020 10:12:27 GMT https://community.splunk.com/t5/Splunk-Search/rex-command-help/m-p/478935#M134254 harishalipaka 2020-02-26T10:12:27Z https://community.splunk.com/t5/Splunk-Search/rex-command-help/m-p/478936#M134255 <P>Hi @gcusello </P> <P>It is not working for me .am getting empty fields.</P> <PRE><CODE>| rex field=HostName "^\s+(?&lt;url&gt;[^\.]+).*\s+(?&lt;ip&gt;\d+\.\d+\.\d+\.\d+)" </CODE></PRE> Wed, 26 Feb 2020 10:17:05 GMT https://community.splunk.com/t5/Splunk-Search/rex-command-help/m-p/478936#M134255 harishalipaka 2020-02-26T10:17:05Z https://community.splunk.com/t5/Splunk-Search/rex-command-help/m-p/478937#M134256 <P>Hi @harishalipaka,<BR /> probably your row data are different, this regex is related to the information you shared, could you share an example of your row data?</P> <P>Ciao.<BR /> Giuseppe</P> Wed, 26 Feb 2020 10:48:53 GMT https://community.splunk.com/t5/Splunk-Search/rex-command-help/m-p/478937#M134256 gcusello 2020-02-26T10:48:53Z https://community.splunk.com/t5/Splunk-Search/rex-command-help/m-p/478938#M134257 <PRE><CODE>| rex mode=sed "s/[.a-z]*$//" </CODE></PRE> Wed, 26 Feb 2020 11:12:47 GMT https://community.splunk.com/t5/Splunk-Search/rex-command-help/m-p/478938#M134257 to4kawa 2020-02-26T11:12:47Z