https://community.splunk.com/t5/Splunk-Search/Fetch-incident-from-subject/m-p/515197#M144641 <P>Hi</P><P>I think that this is duplicate question to&nbsp;</P><P><A href="https://community.splunk.com/t5/Splunk-Search/Regex-help-for-incident/m-p/515131#M144610" target="_blank">https://community.splunk.com/t5/Splunk-Search/Regex-help-for-incident/m-p/515131#M144610</A></P><P>basically your issue seems to be wrong&nbsp;<SPAN>&nbsp;</SPAN><SPAN>“ and ”. Otherwise your query is working as expected just switch both of those to ".</SPAN></P><LI-CODE lang="java">| makeresults | eval subject="[SecMail:] INC000027755501|TAS00003760220 wrdna904xusa73|server is unreachable | INC000027790458| INC000027882562" | rex field=subject max_match=0 "(?&lt;Incident&gt;INC\d+)" | table Incident subject</LI-CODE><P>r. Ismo&nbsp;</P> Thu, 20 Aug 2020 12:19:02 GMT isoutamo 2020-08-20T12:19:02Z https://community.splunk.com/t5/Splunk-Search/Fetch-incident-from-subject/m-p/515113#M144602 <P>I am using below query to fetch Incident from the subject line:—</P><P>rex field=subject max_match=0 “(?&lt;Incident&gt;INC\d+)”</P><P>however, for below subject line i am unable to fetch incident:—</P><P>[SecMail:] INC000027755501|TAS00003760220 wrdna904xusa73|server is unreachable | INC000027790458| INC000027882562</P> Thu, 20 Aug 2020 05:24:02 GMT https://community.splunk.com/t5/Splunk-Search/Fetch-incident-from-subject/m-p/515113#M144602 priya0709 2020-08-20T05:24:02Z https://community.splunk.com/t5/Splunk-Search/Fetch-incident-from-subject/m-p/515197#M144641 <P>Hi</P><P>I think that this is duplicate question to&nbsp;</P><P><A href="https://community.splunk.com/t5/Splunk-Search/Regex-help-for-incident/m-p/515131#M144610" target="_blank">https://community.splunk.com/t5/Splunk-Search/Regex-help-for-incident/m-p/515131#M144610</A></P><P>basically your issue seems to be wrong&nbsp;<SPAN>&nbsp;</SPAN><SPAN>“ and ”. Otherwise your query is working as expected just switch both of those to ".</SPAN></P><LI-CODE lang="java">| makeresults | eval subject="[SecMail:] INC000027755501|TAS00003760220 wrdna904xusa73|server is unreachable | INC000027790458| INC000027882562" | rex field=subject max_match=0 "(?&lt;Incident&gt;INC\d+)" | table Incident subject</LI-CODE><P>r. Ismo&nbsp;</P> Thu, 20 Aug 2020 12:19:02 GMT https://community.splunk.com/t5/Splunk-Search/Fetch-incident-from-subject/m-p/515197#M144641 isoutamo 2020-08-20T12:19:02Z https://community.splunk.com/t5/Splunk-Search/Fetch-incident-from-subject/m-p/515378#M144698 <P>thank you for your reply!!</P><P>however, My query</P><PRE>rex field=subject max_match=0 "(?&lt;Incident&gt;INC\d+)"</PRE><P>works fine for Eg1 in which INC is appended by space in subject line. however, for eg2 INC is appended by | in this case Incident number is not fetched.</P><P><BR />eg 1:- RE: INC0000756784 | server is unreachable&nbsp;</P><P>eg 2:- RE:INC0000564789|Minor|server unreachable&nbsp;</P> Fri, 21 Aug 2020 07:05:22 GMT https://community.splunk.com/t5/Splunk-Search/Fetch-incident-from-subject/m-p/515378#M144698 priya0709 2020-08-21T07:05:22Z https://community.splunk.com/t5/Splunk-Search/Fetch-incident-from-subject/m-p/515428#M144716 <P>When I just made copy &amp; paste from my previous example and then copy &amp; paste both of your examples (one by one), both are working.</P><P>I suppose that you still have some issue with " or something similar.</P><P>r. Ismo</P> Fri, 21 Aug 2020 12:01:09 GMT https://community.splunk.com/t5/Splunk-Search/Fetch-incident-from-subject/m-p/515428#M144716 isoutamo 2020-08-21T12:01:09Z https://community.splunk.com/t5/Splunk-Search/Fetch-incident-from-subject/m-p/515434#M144719 <P>It doesn’t think of other characters. It matches &nbsp;if there is INC FOLLOWED BY 10 digits.</P> Fri, 21 Aug 2020 12:30:28 GMT https://community.splunk.com/t5/Splunk-Search/Fetch-incident-from-subject/m-p/515434#M144719 thambisetty 2020-08-21T12:30:28Z