https://community.splunk.com/t5/Splunk-Search/Need-help-with-Rex-Function/m-p/524001#M147846 <P class="lia-align-left">I got a variable called _host_name which = usscic-secfio102.na.xxx.com.&nbsp; I need to derive a variable called host_short which will have the value of&nbsp;usscic-secfio102&nbsp; &nbsp;-- I use Ruby Regular expression editor to figure out expression to get string i need -- it's&nbsp; &nbsp; ^\w+.\w+&nbsp; &nbsp; &nbsp;How do I integrate in querty using rex?</P><P class="lia-align-center">&nbsp;</P><P class="lia-align-center">index=cisco sourcetype=cisco_asa AND vendor_action=permitted AND host=158.11.333.444 | eval service=transport."/".dest_port| lookup dnslookup ip as host output host as host_name| rex????? | table host_short</P> Sat, 10 Oct 2020 00:11:25 GMT Stephen11 2020-10-10T00:11:25Z https://community.splunk.com/t5/Splunk-Search/Need-help-with-Rex-Function/m-p/524001#M147846 <P class="lia-align-left">I got a variable called _host_name which = usscic-secfio102.na.xxx.com.&nbsp; I need to derive a variable called host_short which will have the value of&nbsp;usscic-secfio102&nbsp; &nbsp;-- I use Ruby Regular expression editor to figure out expression to get string i need -- it's&nbsp; &nbsp; ^\w+.\w+&nbsp; &nbsp; &nbsp;How do I integrate in querty using rex?</P><P class="lia-align-center">&nbsp;</P><P class="lia-align-center">index=cisco sourcetype=cisco_asa AND vendor_action=permitted AND host=158.11.333.444 | eval service=transport."/".dest_port| lookup dnslookup ip as host output host as host_name| rex????? | table host_short</P> Sat, 10 Oct 2020 00:11:25 GMT https://community.splunk.com/t5/Splunk-Search/Need-help-with-Rex-Function/m-p/524001#M147846 Stephen11 2020-10-10T00:11:25Z https://community.splunk.com/t5/Splunk-Search/Need-help-with-Rex-Function/m-p/524003#M147847 <P>rex field=<SPAN>called _host_name "(?&lt;short_host&gt;[^\.]+)"<BR />how about this?</SPAN></P> Sat, 10 Oct 2020 00:31:30 GMT https://community.splunk.com/t5/Splunk-Search/Need-help-with-Rex-Function/m-p/524003#M147847 to4kawa 2020-10-10T00:31:30Z https://community.splunk.com/t5/Splunk-Search/Need-help-with-Rex-Function/m-p/524123#M147874 <P>thanks ... that was easy</P><P>&nbsp;</P> Sun, 11 Oct 2020 20:31:06 GMT https://community.splunk.com/t5/Splunk-Search/Need-help-with-Rex-Function/m-p/524123#M147874 Stephen11 2020-10-11T20:31:06Z