https://community.splunk.com/t5/Splunk-Search/Field-Extraction-Struggle/m-p/513741#M144174 <P>i have these log entries, and I'm trying to extract the underlined data as "Business_Process"</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="sphiwee_0-1597246959262.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/10219iB1AFB136C0CC3970/image-size/medium?v=v2&amp;px=400" role="button" title="sphiwee_0-1597246959262.png" alt="sphiwee_0-1597246959262.png" /></span></P><P>i'm using the below regex, on geg101 it extracts just fine but on splunk it exctracts a huge chunk.</P><P>&nbsp;rex field=_raw "\Drun\.name\D:\D(?&lt;Business_Process&gt;.+)\D,\Drun.u"</P><P>&nbsp;</P><P>i get below result in splunk<BR /><BR /></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="sphiwee_1-1597247468022.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/10221iC28D67B7494F75D1/image-size/medium?v=v2&amp;px=400" role="button" title="sphiwee_1-1597247468022.png" alt="sphiwee_1-1597247468022.png" /></span></P><P>&nbsp;</P> Wed, 12 Aug 2020 15:55:34 GMT sphiwee 2020-08-12T15:55:34Z https://community.splunk.com/t5/Splunk-Search/Field-Extraction-Struggle/m-p/513741#M144174 <P>i have these log entries, and I'm trying to extract the underlined data as "Business_Process"</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="sphiwee_0-1597246959262.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/10219iB1AFB136C0CC3970/image-size/medium?v=v2&amp;px=400" role="button" title="sphiwee_0-1597246959262.png" alt="sphiwee_0-1597246959262.png" /></span></P><P>i'm using the below regex, on geg101 it extracts just fine but on splunk it exctracts a huge chunk.</P><P>&nbsp;rex field=_raw "\Drun\.name\D:\D(?&lt;Business_Process&gt;.+)\D,\Drun.u"</P><P>&nbsp;</P><P>i get below result in splunk<BR /><BR /></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="sphiwee_1-1597247468022.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/10221iC28D67B7494F75D1/image-size/medium?v=v2&amp;px=400" role="button" title="sphiwee_1-1597247468022.png" alt="sphiwee_1-1597247468022.png" /></span></P><P>&nbsp;</P> Wed, 12 Aug 2020 15:55:34 GMT https://community.splunk.com/t5/Splunk-Search/Field-Extraction-Struggle/m-p/513741#M144174 sphiwee 2020-08-12T15:55:34Z https://community.splunk.com/t5/Splunk-Search/Field-Extraction-Struggle/m-p/513772#M144190 Please share your sample data as text rather than a screen shot so people can test with it. Wed, 12 Aug 2020 19:26:05 GMT https://community.splunk.com/t5/Splunk-Search/Field-Extraction-Struggle/m-p/513772#M144190 richgalloway 2020-08-12T19:26:05Z https://community.splunk.com/t5/Splunk-Search/Field-Extraction-Struggle/m-p/513777#M144194 <P>| rex “run\.name\”:\”(?&lt;Business_Process&gt;[^\”]+)”</P><P>don’t forget to replace double quotes from your keyboard. Double quotes may not match as I am typing from them my phone.</P> Wed, 12 Aug 2020 19:34:56 GMT https://community.splunk.com/t5/Splunk-Search/Field-Extraction-Struggle/m-p/513777#M144194 thambisetty 2020-08-12T19:34:56Z https://community.splunk.com/t5/Splunk-Search/Field-Extraction-Struggle/m-p/513813#M144205 <P>wow thanks bro works perfectly, how can i learn to perfect my regex skills?</P> Wed, 12 Aug 2020 22:01:12 GMT https://community.splunk.com/t5/Splunk-Search/Field-Extraction-Struggle/m-p/513813#M144205 sphiwee 2020-08-12T22:01:12Z https://community.splunk.com/t5/Splunk-Search/Field-Extraction-Struggle/m-p/513820#M144206 <P>having same issue, trying to extract red text<BR /><BR />"run\.author\.fullname\D:\"(?&lt;USER&gt;.+\"\,\"r)"</P><P>&nbsp;</P><P>&nbsp;</P> Sat, 15 Aug 2020 17:11:53 GMT https://community.splunk.com/t5/Splunk-Search/Field-Extraction-Struggle/m-p/513820#M144206 sphiwee 2020-08-15T17:11:53Z https://community.splunk.com/t5/Splunk-Search/Field-Extraction-Struggle/m-p/513832#M144208 <P><SPAN>just advice - don't post actual data here.</SPAN></P><P><SPAN><BR />| rex “run\.author\.fullname\”:\”(?&lt;User&gt;[^\”]+)”</SPAN></P> Thu, 13 Aug 2020 06:23:42 GMT https://community.splunk.com/t5/Splunk-Search/Field-Extraction-Struggle/m-p/513832#M144208 thambisetty 2020-08-13T06:23:42Z https://community.splunk.com/t5/Splunk-Search/Field-Extraction-Struggle/m-p/514246#M144334 <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="sphiwee_1-1597512234006.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/10273iBAB82CD461C46E16/image-size/medium?v=v2&amp;px=400" role="button" title="sphiwee_1-1597512234006.png" alt="sphiwee_1-1597512234006.png" /></span></P><P>Hi thanks for the advice, seem to be getting an error on that regex&nbsp;</P><P>&nbsp;</P> Sat, 15 Aug 2020 17:24:28 GMT https://community.splunk.com/t5/Splunk-Search/Field-Extraction-Struggle/m-p/514246#M144334 sphiwee 2020-08-15T17:24:28Z https://community.splunk.com/t5/Splunk-Search/Field-Extraction-Struggle/m-p/514247#M144335 <LI-CODE lang="markup">| rex "run\.author\.fullname\":\"(?&lt;User&gt;[^\"]+)"</LI-CODE><P>try now. the issue is with double quotes, as I had typed them from my phone.</P> Sat, 15 Aug 2020 17:27:14 GMT https://community.splunk.com/t5/Splunk-Search/Field-Extraction-Struggle/m-p/514247#M144335 thambisetty 2020-08-15T17:27:14Z https://community.splunk.com/t5/Splunk-Search/Field-Extraction-Struggle/m-p/514248#M144336 <P>Yes I figured it was that, sorry to be bothersome.. any idea how can i vizualize a relationship between&nbsp; Business_Process and User ? i want to show in a cool way which user ran which business process&nbsp;</P> Sat, 15 Aug 2020 17:46:11 GMT https://community.splunk.com/t5/Splunk-Search/Field-Extraction-Struggle/m-p/514248#M144336 sphiwee 2020-08-15T17:46:11Z https://community.splunk.com/t5/Splunk-Search/Field-Extraction-Struggle/m-p/514261#M144337 <P>| stats values(Business_process) as business_process by User</P> Sat, 15 Aug 2020 20:10:55 GMT https://community.splunk.com/t5/Splunk-Search/Field-Extraction-Struggle/m-p/514261#M144337 thambisetty 2020-08-15T20:10:55Z