https://community.splunk.com/t5/Splunk-Search/extract-a-value-from-raw-field/m-p/535557#M151365 <P>That's easy to do with <FONT face="courier new,courier">rex</FONT>.</P><P>&nbsp;</P><LI-CODE lang="markup">| rex "INFO (?&lt;Info&gt;\S+)" | rex "SetID (?&lt;SetID&gt;\S+)" | rex "Status (?&lt;Status&gt;)\w+)" | rex "ContactID \[(?&lt;ContactID&gt;[^\]]+)" | rex "CaseID \[(?&lt;CaseID&gt;[^\]]+)"</LI-CODE><P>&nbsp;</P> Tue, 12 Jan 2021 20:46:53 GMT richgalloway 2021-01-12T20:46:53Z https://community.splunk.com/t5/Splunk-Search/extract-a-value-from-raw-field/m-p/535514#M151349 <P>Hi ,</P><P><BR />There is a way to extract a value from field even there is no = between Key and Value? After extracting I want to use them as a search criteria. Unfortunatelly I need to work with data which are not optimized for splunk.</P><P>For example : I have the following raw field:</P><P>"<SPAN>2020-12-16 13:39:00.7174 INFO 001d1764-80c3-4c35-87c7-ec25382b4328 IM_Contact with SetID Cardlink_DCDOB2012146196-1006 has current Status Completed. ContactID [CO-000085513778], CaseID [CA-000002980184] APOrchestrator.ProcessIncomingMessage =&gt; ServiceQueueOrchestrator`2.LogContactStatus =&gt; Logger.LogInfo</SPAN>"</P><P>&nbsp;</P><P>I want to extract following key / values:</P><P>Info =&nbsp;<SPAN>001d1764-80c3-4c35-87c7-ec25382b4328</SPAN></P><P><SPAN>SetID =&nbsp;Cardlink_DCDOB2012146196-1006</SPAN></P><P><SPAN>Status = Completed</SPAN></P><P><SPAN>ContactID =&nbsp;CO-000085513778</SPAN></P><P><SPAN>CaseID =&nbsp;CA-000002980184</SPAN></P><P>&nbsp;</P><P><SPAN>Found some interesting answers but all of them working with real key value pairs (fields) as a basis.</SPAN></P><P>&nbsp;</P> Tue, 12 Jan 2021 17:00:06 GMT https://community.splunk.com/t5/Splunk-Search/extract-a-value-from-raw-field/m-p/535514#M151349 alexanderschlau 2021-01-12T17:00:06Z https://community.splunk.com/t5/Splunk-Search/extract-a-value-from-raw-field/m-p/535557#M151365 <P>That's easy to do with <FONT face="courier new,courier">rex</FONT>.</P><P>&nbsp;</P><LI-CODE lang="markup">| rex "INFO (?&lt;Info&gt;\S+)" | rex "SetID (?&lt;SetID&gt;\S+)" | rex "Status (?&lt;Status&gt;)\w+)" | rex "ContactID \[(?&lt;ContactID&gt;[^\]]+)" | rex "CaseID \[(?&lt;CaseID&gt;[^\]]+)"</LI-CODE><P>&nbsp;</P> Tue, 12 Jan 2021 20:46:53 GMT https://community.splunk.com/t5/Splunk-Search/extract-a-value-from-raw-field/m-p/535557#M151365 richgalloway 2021-01-12T20:46:53Z https://community.splunk.com/t5/Splunk-Search/extract-a-value-from-raw-field/m-p/535618#M151390 <P>great, so simple and works, thank&nbsp;</P> Wed, 13 Jan 2021 08:34:15 GMT https://community.splunk.com/t5/Splunk-Search/extract-a-value-from-raw-field/m-p/535618#M151390 alexanderschlau 2021-01-13T08:34:15Z https://community.splunk.com/t5/Splunk-Search/extract-a-value-from-raw-field/m-p/535620#M151392 <P>I think there is a little change in&nbsp;CaseID and&nbsp;ContactID needed but I got the principle</P> Wed, 13 Jan 2021 08:39:39 GMT https://community.splunk.com/t5/Splunk-Search/extract-a-value-from-raw-field/m-p/535620#M151392 alexanderschlau 2021-01-13T08:39:39Z https://community.splunk.com/t5/Splunk-Search/extract-a-value-from-raw-field/m-p/535656#M151401 <P>If your problem is resolved, then please click the "Accept as Solution" button to help future readers.</P> Wed, 13 Jan 2021 13:51:17 GMT https://community.splunk.com/t5/Splunk-Search/extract-a-value-from-raw-field/m-p/535656#M151401 richgalloway 2021-01-13T13:51:17Z