https://community.splunk.com/t5/Splunk-Search/extract-content-of-brackets/m-p/481804#M135016 <P>Hi @mehrdad_2000,</P> <P>If you just want whatever is between square brackets but ensuring it only contains letters and not numbers, you can do something like:</P> <PRE><CODE>| rex max_match=1 "^\d{4}\-\d{2}\-\d{2} \d{2}:\d{2}:\d{2}\,\d{3} \w+ [\w\-\.]+ \[(?&lt;myField&gt;[a-zA-Z]+)\]" </CODE></PRE> <P>For instance, if I use your sample data:</P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/8752i68550168700E3F77/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> Wed, 22 Apr 2020 08:58:16 GMT javiergn 2020-04-22T08:58:16Z https://community.splunk.com/t5/Splunk-Search/extract-content-of-brackets/m-p/481803#M135015 <P>how can i extract content of first bracket if it is string?</P> <P>e.g:<BR /> 2020-04-21 23:59:59,093 INFO xxx.xxx-zz-00000 [process] start[ppp] time[00] tag[xxx]<BR /> 2020-04-21 23:59:59,093 INFO xxx.xxx-zz-00000 [1234567] start[ppp] time[00] tag[xxx]<BR /> ....</P> <P>expected result:<BR /> process</P> <P>have huge log file need to extract process with this conditions<BR /> 1-content of first bracket<BR /> 2-it must be string not number!</P> <P>Thanks,</P> Wed, 22 Apr 2020 05:45:16 GMT https://community.splunk.com/t5/Splunk-Search/extract-content-of-brackets/m-p/481803#M135015 indeed_2000 2020-04-22T05:45:16Z https://community.splunk.com/t5/Splunk-Search/extract-content-of-brackets/m-p/481804#M135016 <P>Hi @mehrdad_2000,</P> <P>If you just want whatever is between square brackets but ensuring it only contains letters and not numbers, you can do something like:</P> <PRE><CODE>| rex max_match=1 "^\d{4}\-\d{2}\-\d{2} \d{2}:\d{2}:\d{2}\,\d{3} \w+ [\w\-\.]+ \[(?&lt;myField&gt;[a-zA-Z]+)\]" </CODE></PRE> <P>For instance, if I use your sample data:</P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/8752i68550168700E3F77/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> Wed, 22 Apr 2020 08:58:16 GMT https://community.splunk.com/t5/Splunk-Search/extract-content-of-brackets/m-p/481804#M135016 javiergn 2020-04-22T08:58:16Z https://community.splunk.com/t5/Splunk-Search/extract-content-of-brackets/m-p/481805#M135017 <P>As I mentioned this is large log file and need more complete regex to do this.<BR /> For example your answer extract only fixed pattern that i mention, but not work on these:</P> <P>2020-04-21 23:59:59,093 INFO xxxx.xxxxx-zz-00000xxx111 [process] start[ppp] time[00] tag[xxx]<BR /> 2020-04-21 23:59:59,093 INFO xx.xxx-zz-00000x [report] start[ppp] time[00] tag[xxx]</P> <P>Expected output:<BR /> process<BR /> report</P> Wed, 22 Apr 2020 12:04:44 GMT https://community.splunk.com/t5/Splunk-Search/extract-content-of-brackets/m-p/481805#M135017 indeed_2000 2020-04-22T12:04:44Z https://community.splunk.com/t5/Splunk-Search/extract-content-of-brackets/m-p/481806#M135018 <P>Hmm, that's interesting. I have tested both your samples on regex101 and my regex works fine with them. Look:</P> <P><A href="https://regex101.com/r/cjjSHZ/1">https://regex101.com/r/cjjSHZ/1</A></P> Thu, 23 Apr 2020 13:04:54 GMT https://community.splunk.com/t5/Splunk-Search/extract-content-of-brackets/m-p/481806#M135018 javiergn 2020-04-23T13:04:54Z