https://community.splunk.com/t5/Splunk-Search/Field-Extraction-regex-stop-at-word-or/m-p/500793#M139438 <P>So I have some data that I'm trying to extract the application name from. These are Citrix ICA syslog events. </P> <P>Here's the 2 snippets I'm trying to match. One I'd like to stop at " - startTime" the other stop at the $. Both are the same field applicationName.</P> <P>applicationName <EM>SXe Staging GCAST-2</EM> - startTime<BR /> applicationName <EM>HDS 2016 VIRTUAL DESKTOP TEST</EM> $S88-166 - startTime </P> <P>The italic text is what I'd like to get for the field value "applicationName" </P> <P>Here is what I have come up with that does capture to - startTime.</P> <PRE><CODE> rex "applicationName (?&lt;AAAAAAA&gt;.+)(?=(\s-\sstartTime))" </CODE></PRE> <P>However when I try </P> <PRE><CODE> rex "applicationName (?&lt;AAAAAAA&gt;.+)(?=(\s-\sstartTime|$))" rex "applicationName (?&lt;AAAAAAA&gt;.+)(?=(\s-\sstartTime|\$))" rex "applicationName (?&lt;AAAAAAA&gt;.+)(?=(\s-\sstartTime|\\$))" rex "applicationName (?&lt;AAAAAAA&gt;[^$].+)(?=(\s-\sstartTime))" rex "applicationName (?&lt;AAAAAAA&gt;[^\$|startTime].+)" </CODE></PRE> <P>It doesn't quite work right. Anyway I'm just trying to limit the results to actual application names, not this extra bit of data that Citrix someone has thrown into the field.</P> <P>Like these, the two Windows 10 events should really be the same field value.<BR /> SXe Staging GCAST-2<BR /> HDS 2016 VIRTUAL DESKTOP TEST $S88-166<BR /> Canada Greatplains<BR /> Windows 10 $A41-29-3D5DDA4A-0001<BR /> aSa ex Menu<BR /> Windows 10 $A67-37-3D5C3C71-0001</P> Thu, 26 Mar 2020 14:43:11 GMT JDukeSplunk 2020-03-26T14:43:11Z https://community.splunk.com/t5/Splunk-Search/Field-Extraction-regex-stop-at-word-or/m-p/500793#M139438 <P>So I have some data that I'm trying to extract the application name from. These are Citrix ICA syslog events. </P> <P>Here's the 2 snippets I'm trying to match. One I'd like to stop at " - startTime" the other stop at the $. Both are the same field applicationName.</P> <P>applicationName <EM>SXe Staging GCAST-2</EM> - startTime<BR /> applicationName <EM>HDS 2016 VIRTUAL DESKTOP TEST</EM> $S88-166 - startTime </P> <P>The italic text is what I'd like to get for the field value "applicationName" </P> <P>Here is what I have come up with that does capture to - startTime.</P> <PRE><CODE> rex "applicationName (?&lt;AAAAAAA&gt;.+)(?=(\s-\sstartTime))" </CODE></PRE> <P>However when I try </P> <PRE><CODE> rex "applicationName (?&lt;AAAAAAA&gt;.+)(?=(\s-\sstartTime|$))" rex "applicationName (?&lt;AAAAAAA&gt;.+)(?=(\s-\sstartTime|\$))" rex "applicationName (?&lt;AAAAAAA&gt;.+)(?=(\s-\sstartTime|\\$))" rex "applicationName (?&lt;AAAAAAA&gt;[^$].+)(?=(\s-\sstartTime))" rex "applicationName (?&lt;AAAAAAA&gt;[^\$|startTime].+)" </CODE></PRE> <P>It doesn't quite work right. Anyway I'm just trying to limit the results to actual application names, not this extra bit of data that Citrix someone has thrown into the field.</P> <P>Like these, the two Windows 10 events should really be the same field value.<BR /> SXe Staging GCAST-2<BR /> HDS 2016 VIRTUAL DESKTOP TEST $S88-166<BR /> Canada Greatplains<BR /> Windows 10 $A41-29-3D5DDA4A-0001<BR /> aSa ex Menu<BR /> Windows 10 $A67-37-3D5C3C71-0001</P> Thu, 26 Mar 2020 14:43:11 GMT https://community.splunk.com/t5/Splunk-Search/Field-Extraction-regex-stop-at-word-or/m-p/500793#M139438 JDukeSplunk 2020-03-26T14:43:11Z https://community.splunk.com/t5/Splunk-Search/Field-Extraction-regex-stop-at-word-or/m-p/500794#M139439 <P>hi @JDukeSplunk,</P> <P>Try this regex:</P> <PRE><CODE>| rex "applicationName\s(?&lt;application_name&gt;[^\$]+).*\s-\sstartTime" </CODE></PRE> <P>Sample query:</P> <PRE><CODE>| makeresults | eval _raw="_raw applicationName SXe Staging GCAST-2 - startTime applicationName HDS 2016 VIRTUAL DESKTOP TEST $S88-166 - startTime applicationName Canada Greatplains - startTime applicationName Windows 10 $A41-29-3D5DDA4A-0001 - startTime" | multikv forceheader=1 | rex "applicationName\s(?&lt;application_name&gt;[^\$]+).*\s-\sstartTime" </CODE></PRE> Thu, 26 Mar 2020 16:01:52 GMT https://community.splunk.com/t5/Splunk-Search/Field-Extraction-regex-stop-at-word-or/m-p/500794#M139439 manjunathmeti 2020-03-26T16:01:52Z https://community.splunk.com/t5/Splunk-Search/Field-Extraction-regex-stop-at-word-or/m-p/500795#M139440 <P>Like this:</P> <PRE><CODE>\s+(?&lt;capture&gt;.*?)\s+(?:-|\$) </CODE></PRE> <P>See here:<BR /> <A href="https://regex101.com/r/TZlhtj/1">https://regex101.com/r/TZlhtj/1</A></P> Thu, 26 Mar 2020 16:25:00 GMT https://community.splunk.com/t5/Splunk-Search/Field-Extraction-regex-stop-at-word-or/m-p/500795#M139440 woodcock 2020-03-26T16:25:00Z https://community.splunk.com/t5/Splunk-Search/Field-Extraction-regex-stop-at-word-or/m-p/500796#M139441 <P>In fairness, both regex's here work equally well. I just wanted to give @manjunathmeti the credit because his points are lower. </P> <P>Thanks both of you.</P> Thu, 26 Mar 2020 17:28:51 GMT https://community.splunk.com/t5/Splunk-Search/Field-Extraction-regex-stop-at-word-or/m-p/500796#M139441 JDukeSplunk 2020-03-26T17:28:51Z https://community.splunk.com/t5/Splunk-Search/Field-Extraction-regex-stop-at-word-or/m-p/500797#M139442 <P>As you should. I also think his is probably better, too.</P> Thu, 26 Mar 2020 17:36:51 GMT https://community.splunk.com/t5/Splunk-Search/Field-Extraction-regex-stop-at-word-or/m-p/500797#M139442 woodcock 2020-03-26T17:36:51Z