https://community.splunk.com/t5/Splunk-Search/field-extraction-after-brackets-value/m-p/483017#M135263 <P>hi i have log file like below<BR /> need to extact the section after first "<STRONG>]</STRONG>" to "<STRONG>[</STRONG>" or "<STRONG>.</STRONG>" or "<STRONG>:</STRONG>"</P> <PRE><CODE>2020-04-24 23:59:59,511 INFO ABCD.InIT-Service-1234567 [SrvListener] Receive Message[123456789ABCD123E123456789*] from [Service.APP] 2020-04-24 23:59:57,055 INFO ABCD.InIT-Service-1234567_EFGH.InIT-AppService-5764693 [AbcEndpointManager] Send Message [123456789ABCD123456789123456789*] to A[000] B[0000] 2020-04-24 23:59:59,081 INFO ABCD.InIT-Host-1234567_EFGH.InIT-Service-1234567 [TopologyProcessorService] Message Processed: A[000] B[0000] 2020-04-24 23:29:59,844 INFO ABCD.InIT-Service-1234567 [NetworkProcessor] NetworkProcessor Accomplished: A[000] B[0000] 2020-04-24 23:29:59,851 INFO NAME-1234567 [ExecuteService] CustomeService_clusterCustomeCommand chain was done. Define Parameters[input0='00000',input1='000000'] </CODE></PRE> <P>expected value:</P> <UL> <LI>Receive Message</LI> <LI>Send Message</LI> <LI>Message Processed</LI> <LI>NetworkProcessor Accomplished</LI> <LI>CustomeService_clusterCustomeCommand chain was done</LI> </UL> <P>Thanks</P> Sat, 25 Apr 2020 04:50:12 GMT indeed_2000 2020-04-25T04:50:12Z https://community.splunk.com/t5/Splunk-Search/field-extraction-after-brackets-value/m-p/483017#M135263 <P>hi i have log file like below<BR /> need to extact the section after first "<STRONG>]</STRONG>" to "<STRONG>[</STRONG>" or "<STRONG>.</STRONG>" or "<STRONG>:</STRONG>"</P> <PRE><CODE>2020-04-24 23:59:59,511 INFO ABCD.InIT-Service-1234567 [SrvListener] Receive Message[123456789ABCD123E123456789*] from [Service.APP] 2020-04-24 23:59:57,055 INFO ABCD.InIT-Service-1234567_EFGH.InIT-AppService-5764693 [AbcEndpointManager] Send Message [123456789ABCD123456789123456789*] to A[000] B[0000] 2020-04-24 23:59:59,081 INFO ABCD.InIT-Host-1234567_EFGH.InIT-Service-1234567 [TopologyProcessorService] Message Processed: A[000] B[0000] 2020-04-24 23:29:59,844 INFO ABCD.InIT-Service-1234567 [NetworkProcessor] NetworkProcessor Accomplished: A[000] B[0000] 2020-04-24 23:29:59,851 INFO NAME-1234567 [ExecuteService] CustomeService_clusterCustomeCommand chain was done. Define Parameters[input0='00000',input1='000000'] </CODE></PRE> <P>expected value:</P> <UL> <LI>Receive Message</LI> <LI>Send Message</LI> <LI>Message Processed</LI> <LI>NetworkProcessor Accomplished</LI> <LI>CustomeService_clusterCustomeCommand chain was done</LI> </UL> <P>Thanks</P> Sat, 25 Apr 2020 04:50:12 GMT https://community.splunk.com/t5/Splunk-Search/field-extraction-after-brackets-value/m-p/483017#M135263 indeed_2000 2020-04-25T04:50:12Z https://community.splunk.com/t5/Splunk-Search/field-extraction-after-brackets-value/m-p/483018#M135264 <P>Use rex:</P> <PRE><CODE>index = INDEX | rex "\]\s(?&lt;message&gt;[\w\s]+)" </CODE></PRE> <P>Sample query:</P> <PRE><CODE>| makeresults | eval _raw=" _raw 2020-04-24 23:59:59,511 INFO ABCD.InIT-Service-1234567 [SrvListener] Receive Message[123456789ABCD123E123456789*] from [Service.APP] 2020-04-24 23:59:57,055 INFO ABCD.InIT-Service-1234567_EFGH.InIT-AppService-5764693 [AbcEndpointManager] Send Message [123456789ABCD123456789123456789*] to A[000] B[0000] 2020-04-24 23:59:59,081 INFO ABCD.InIT-Host-1234567_EFGH.InIT-Service-1234567 [TopologyProcessorService] Message Processed: A[000] B[0000] 2020-04-24 23:29:59,844 INFO ABCD.InIT-Service-1234567 [NetworkProcessor] NetworkProcessor Accomplished: A[000] B[0000] 2020-04-24 23:29:59,851 INFO NAME-1234567 [ExecuteService] CustomeService_clusterCustomeCommand chain was done. Define Parameters[input0='00000',input1='000000']" | multikv forceheader=1 | rex "\]\s(?&lt;message&gt;[\w\s]+)" | fields _raw, message </CODE></PRE> Sat, 25 Apr 2020 08:09:46 GMT https://community.splunk.com/t5/Splunk-Search/field-extraction-after-brackets-value/m-p/483018#M135264 manjunathmeti 2020-04-25T08:09:46Z https://community.splunk.com/t5/Splunk-Search/field-extraction-after-brackets-value/m-p/483019#M135265 <P>work like charm, thank you <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Sat, 25 Apr 2020 15:58:03 GMT https://community.splunk.com/t5/Splunk-Search/field-extraction-after-brackets-value/m-p/483019#M135265 indeed_2000 2020-04-25T15:58:03Z