https://community.splunk.com/t5/Splunk-Search/Extracting-fields-for-a-specific-text/m-p/489487#M136722 <P>Like this:</P> <PRE><CODE>^\S+\s+GC\((?&lt;GC_stage&gt;\d+)\)\s+Garbage Collection \((?&lt;_KEY_1&gt;.+?)\)\s+(?&lt;_VAL_1&gt;.*)$ </CODE></PRE> <P>Plus this:<BR /> <A href="https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Configureadvancedextractionswithfieldtransforms#REGEX">https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Configureadvancedextractionswithfieldtransforms#REGEX</A></P> Mon, 25 Nov 2019 05:38:32 GMT woodcock 2019-11-25T05:38:32Z https://community.splunk.com/t5/Splunk-Search/Extracting-fields-for-a-specific-text/m-p/489485#M136720 <P>hi All,</P> <P>Am trying to extract the fields for only the text when it contains start or end as my test_status field that should contain only those values and the value next to the test_status field as my test_name example:DeVone_Benchmarking_Suite. When am trying auto regex and delimiter like space am getting other values as well in those field which am not interested. Can someone help me how to extract only those values in my fields.</P> <P>Please find the sample events below.</P> <P>[2019-11-24T13:20:48.226-0500][580.588s] GC(8) Garbage Collection (Allocation Rate) 8532M(69%)-&gt;2574M(21%)</P> <P>[2019-11-24T13:18:28.315-0500][440.678s] GC(7) Garbage Collection (Allocation Rate) 11414M(93%)-&gt;1744M(14%)</P> <P>[2019-11-24T13:16:13.876-0500][306.239s] GC(6) Garbage Collection (System.gc()) 2560M(21%)-&gt;1268M(10%)</P> <P>[2019-11-24T13:16:12.570-0500][304.932s] GC(5) Garbage Collection (Allocation Rate) 8270M(67%)-&gt;2560M(21%)</P> <P>[2019-11-24T13:14:01.328-0500][173.690s] GC(4) Garbage Collection (Allocation Rate) 11576M(94%)-&gt;1758M(14%)</P> <P>[2019-11-24T13:11:14.353-0500][6.716s] GC(0) Garbage Collection (Warmup) 1264M(10%)-&gt;958M(8%)</P> <P>[2019-11-24T13:11:07.709-0500][0.071s] Using The Z Garbage Collector</P> <P>[2019-11-24T13:11:07-05:00] DEVJVM-Test-Start DeVone_Benchmarking_Suite SEGUE1401_12GB_MEMORY</P> <P>[2019-11-24T13:11:07-05:00] DEVJVM-Test-End DeVone_Benchmarking_Suite</P> <P>[2019-11-24T13:11:06.014-0500][1491.413s] GC(23) Garbage Collection (Allocation Rate) 2514M(22%)-&gt;1832M(16%)</P> <P>[2019-11-24T13:10:55.376-0500][1480.775s] GC(22) Garbage Collection (Allocation Rate) 9108M(81%)-&gt;1500M(13%)</P> <P>[2019-11-24T13:08:21.376-0500][1326.775s] GC(21) Garbage Collection (Allocation Rate) 10124M(90%)-&gt;1682M(15%)</P> <P>Thanks,<BR /> Devon</P> Wed, 30 Sep 2020 03:04:04 GMT https://community.splunk.com/t5/Splunk-Search/Extracting-fields-for-a-specific-text/m-p/489485#M136720 datamine 2020-09-30T03:04:04Z https://community.splunk.com/t5/Splunk-Search/Extracting-fields-for-a-specific-text/m-p/489486#M136721 <P>The auto regex tool leaves a little to be desired. Try this manual regex: <CODE>(?&lt;test_status&gt;(Test-Start|Test-End)\s(?&lt;test_name&gt;\S+)</CODE></P> Sun, 24 Nov 2019 23:01:59 GMT https://community.splunk.com/t5/Splunk-Search/Extracting-fields-for-a-specific-text/m-p/489486#M136721 richgalloway 2019-11-24T23:01:59Z https://community.splunk.com/t5/Splunk-Search/Extracting-fields-for-a-specific-text/m-p/489487#M136722 <P>Like this:</P> <PRE><CODE>^\S+\s+GC\((?&lt;GC_stage&gt;\d+)\)\s+Garbage Collection \((?&lt;_KEY_1&gt;.+?)\)\s+(?&lt;_VAL_1&gt;.*)$ </CODE></PRE> <P>Plus this:<BR /> <A href="https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Configureadvancedextractionswithfieldtransforms#REGEX">https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Configureadvancedextractionswithfieldtransforms#REGEX</A></P> Mon, 25 Nov 2019 05:38:32 GMT https://community.splunk.com/t5/Splunk-Search/Extracting-fields-for-a-specific-text/m-p/489487#M136722 woodcock 2019-11-25T05:38:32Z