https://community.splunk.com/t5/Splunk-Search/Regex-host-upper-case/m-p/515689#M144801 <P>This doesnt work by updating regex with A-Z</P> Mon, 24 Aug 2020 05:43:53 GMT priya0709 2020-08-24T05:43:53Z https://community.splunk.com/t5/Splunk-Search/Regex-host-upper-case/m-p/515684#M144797 <P>my query fetches (host, incident) from subject line by using below regex command</P><P>regex field=subject max_match=0 “(&lt;Incident&gt;INC\d{12})” | regex field=subject “(?&lt;host&gt;[a-z]{5}\d{3}\d[a-z]{4}\d\d)“</P><P>my query matches host from 1st query (1st query displays host based on some eventcode) and those host search for host in subject line and displays incident in separate column. &nbsp;however, &nbsp;incident is not fetched for host which are in uppercase Letter in subject and incident column remains blank for particular host. &nbsp;</P><P>&nbsp;</P> Mon, 24 Aug 2020 05:22:50 GMT https://community.splunk.com/t5/Splunk-Search/Regex-host-upper-case/m-p/515684#M144797 priya0709 2020-08-24T05:22:50Z https://community.splunk.com/t5/Splunk-Search/Regex-host-upper-case/m-p/515687#M144799 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/224530">@priya0709</a>&nbsp;, can you try adding A-Z in host part of the existing regex as below</P><P><SPAN>regex field=subject max_match=0 “(&lt;Incident&gt;INC\d{12})” | regex field=subject “(?&lt;host&gt;[a-zA-Z]{5}\d{3}\d[a-zA-Z]{4}\d\d)“</SPAN></P><P>&nbsp;</P><P>&nbsp;</P><P><SPAN>please upvote my response if it helps!</SPAN></P> Mon, 24 Aug 2020 05:34:42 GMT https://community.splunk.com/t5/Splunk-Search/Regex-host-upper-case/m-p/515687#M144799 Nisha18789 2020-08-24T05:34:42Z https://community.splunk.com/t5/Splunk-Search/Regex-host-upper-case/m-p/515689#M144801 <P>This doesnt work by updating regex with A-Z</P> Mon, 24 Aug 2020 05:43:53 GMT https://community.splunk.com/t5/Splunk-Search/Regex-host-upper-case/m-p/515689#M144801 priya0709 2020-08-24T05:43:53Z https://community.splunk.com/t5/Splunk-Search/Regex-host-upper-case/m-p/515690#M144802 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/224530">@priya0709</a>&nbsp;can you provide with a sample text of the log on which you are applying this regex?</P><P>&nbsp;</P> Mon, 24 Aug 2020 05:45:33 GMT https://community.splunk.com/t5/Splunk-Search/Regex-host-upper-case/m-p/515690#M144802 Nisha18789 2020-08-24T05:45:33Z https://community.splunk.com/t5/Splunk-Search/Regex-host-upper-case/m-p/515693#M144803 <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="953EA21C-375E-473A-A80A-CBA55F4A49A9.jpeg" style="width: 4028px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/10454i01693E675DC4BFEC/image-size/medium?v=v2&amp;px=400" role="button" title="953EA21C-375E-473A-A80A-CBA55F4A49A9.jpeg" alt="953EA21C-375E-473A-A80A-CBA55F4A49A9.jpeg" /></span></P><P> please see this subject line if my first query fetches host wsini606xasi01 and when it matches with above subject based on regex query In which&nbsp;<SPAN>wsini606xasi01 is in &nbsp;uppercase it does not displays incident in another column. When 1st query and 2nd query both are in lower case host matches and displays incident.</SPAN></P> Mon, 24 Aug 2020 06:06:48 GMT https://community.splunk.com/t5/Splunk-Search/Regex-host-upper-case/m-p/515693#M144803 priya0709 2020-08-24T06:06:48Z https://community.splunk.com/t5/Splunk-Search/Regex-host-upper-case/m-p/515715#M144807 <P>hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/224530">@priya0709</a>&nbsp;, this should work&nbsp;</P><P>| rex field=text "(?&lt;Incident&gt;INC\d{12})"<BR />| rex field=text "(?&lt;host&gt;[a-zA-Z]{5}\d{3}[a-zA-Z]{4}\d{2})"</P><P>&nbsp;</P> Mon, 24 Aug 2020 08:31:06 GMT https://community.splunk.com/t5/Splunk-Search/Regex-host-upper-case/m-p/515715#M144807 Nisha18789 2020-08-24T08:31:06Z https://community.splunk.com/t5/Splunk-Search/Regex-host-upper-case/m-p/515722#M144808 <P>Still not working <span class="lia-unicode-emoji" title=":worried_face:">😟</span></P> Mon, 24 Aug 2020 08:40:03 GMT https://community.splunk.com/t5/Splunk-Search/Regex-host-upper-case/m-p/515722#M144808 priya0709 2020-08-24T08:40:03Z https://community.splunk.com/t5/Splunk-Search/Regex-host-upper-case/m-p/515742#M144811 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/224530">@priya0709</a>&nbsp;, its very strange , the same works below, this is the run anywhere query</P><P>&nbsp;</P><P>| makeresults<BR />| eval subject="INC201564712349/SGH821VYX1 please perform hardware diagonostics on wsini606xasi01 for a bug"<BR />| rex field=subject "(?&lt;Incident&gt;INC\d{12})"<BR />| rex field=subject "(?&lt;host&gt;[a-zA-Z]{5}\d{3}[a-zA-Z]{4}\d{2})"<BR />| fields - _time</P> Mon, 24 Aug 2020 10:10:32 GMT https://community.splunk.com/t5/Splunk-Search/Regex-host-upper-case/m-p/515742#M144811 Nisha18789 2020-08-24T10:10:32Z https://community.splunk.com/t5/Splunk-Search/Regex-host-upper-case/m-p/515759#M144814 <P>Thank you for your reply</P><P>will this query work only for the defined subject or for any subject line which has server in uppercase letter??</P><P>&nbsp;</P> Mon, 24 Aug 2020 11:58:49 GMT https://community.splunk.com/t5/Splunk-Search/Regex-host-upper-case/m-p/515759#M144814 priya0709 2020-08-24T11:58:49Z https://community.splunk.com/t5/Splunk-Search/Regex-host-upper-case/m-p/515766#M144817 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/224530">@priya0709</a>&nbsp;, I have wrote that query based on the subject data you have provided, but given the host format is always liek below it will work.</P><P>5 letters+3 digits+4 letters+ 2 digits</P> Mon, 24 Aug 2020 12:14:46 GMT https://community.splunk.com/t5/Splunk-Search/Regex-host-upper-case/m-p/515766#M144817 Nisha18789 2020-08-24T12:14:46Z