https://community.splunk.com/t5/Splunk-Search/Regex-help/m-p/538811#M152355 <P>both of those worked thank you !!!</P> Fri, 05 Feb 2021 18:17:52 GMT tkerr1357 2021-02-05T18:17:52Z https://community.splunk.com/t5/Splunk-Search/Regex-help/m-p/538803#M152349 <P>hey all looking for some help pulling some digits via regex. I am looking to pull the numbers directly after Actual value(in the example event below 48). I would like to exclude the quotes and comma if possible.&nbsp;</P><P>&nbsp;</P><P><SPAN class="t">LogName=LoginPI</SPAN> <SPAN class="t">Events</SPAN> <SPAN class="t">EventCode=1300</SPAN> <SPAN class="t">EventType=4</SPAN> <SPAN class="t">ComputerName=RNBSVSIMGT02.rightnetworks.com</SPAN> <SPAN class="t">SourceName=Login</SPAN> <SPAN class="t">Threshold</SPAN> <SPAN class="t">Exceeded</SPAN> <SPAN class="t">Type=Information</SPAN> <SPAN class="t">RecordNumber=285782</SPAN> <SPAN class="t">Keywords=Classic</SPAN> <SPAN class="t">TaskCategory=None</SPAN> <SPAN class="t">OpCode=Info</SPAN> <SPAN class="t">Message=</SPAN><SPAN>{ "</SPAN><SPAN class="t">Description</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN> "</SPAN><SPAN class="t">Total</SPAN> <SPAN class="t">login</SPAN> <SPAN class="t">time</SPAN><SPAN> (</SPAN><SPAN class="t">48s</SPAN><SPAN>) </SPAN><SPAN class="t">exceeded</SPAN> <SPAN class="t">threshold</SPAN> <SPAN class="t">of</SPAN> <SPAN class="t">45s</SPAN><SPAN> (</SPAN><SPAN class="t">6.67%</SPAN><SPAN>)", "</SPAN><SPAN class="t">Actual</SPAN> <SPAN class="t">value</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN> "</SPAN><SPAN class="t">48</SPAN><SPAN>", "</SPAN><SPAN class="t">Threshold</SPAN> <SPAN class="t">value</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN> "</SPAN><SPAN class="t">45</SPAN><SPAN>", "</SPAN><SPAN class="t">AccountId</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN> "</SPAN><SPAN class="t">4c06e54e-ab5f-47a6-2cc7-08d807c9fae2</SPAN><SPAN>", "</SPAN><SPAN class="t">AccountName</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN> "</SPAN><SPAN class="t">rightnetworks\\eloginpi049</SPAN><SPAN>", "</SPAN><SPAN class="t">LauncherName</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN> "</SPAN><SPAN class="t">RNBSVSI21</SPAN><SPAN>", "</SPAN><SPAN class="t">Locale</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN> "</SPAN><SPAN class="t">English</SPAN><SPAN> (</SPAN><SPAN class="t">United</SPAN> <SPAN class="t">States</SPAN><SPAN>)", "</SPAN><SPAN class="t">RemotingProtocol</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN> "</SPAN><SPAN class="t">Rdp</SPAN><SPAN>", "</SPAN><SPAN class="t">Resolution</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN> "</SPAN><SPAN class="t">1920</SPAN> <SPAN class="t">×</SPAN> <SPAN class="t">1080</SPAN><SPAN>", "</SPAN><SPAN class="t">ScaleFactor</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN> "</SPAN><SPAN class="t">100%</SPAN><SPAN>", "</SPAN><SPAN class="t">TargetHost</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN> "</SPAN><SPAN class="t">BPSQCP00S143</SPAN><SPAN>", "</SPAN><SPAN class="t">TargetOS</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN> "</SPAN><SPAN class="t">Microsoft</SPAN> <SPAN class="t">Windows</SPAN> <SPAN class="t">Server</SPAN> <SPAN class="t">2016</SPAN> <SPAN class="t">Standard</SPAN> <SPAN class="t">10.0.14393</SPAN><SPAN> (</SPAN><SPAN class="t">1607</SPAN><SPAN>)", "</SPAN><SPAN class="t">EnvironmentName</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN> "</SPAN><SPAN class="t">BPSQCP00S143</SPAN><SPAN>", "</SPAN><SPAN class="t">EnvironmentId</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN> "</SPAN><SPAN class="t">06a3c4a2-6f73-4c54-94e9-08d8040960f8</SPAN><SPAN>", "</SPAN><SPAN class="t">Title</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN> "</SPAN><SPAN class="t">Login</SPAN> <SPAN class="t">time</SPAN> <SPAN class="t">threshold</SPAN> <SPAN class="t">exceeded</SPAN><SPAN>"</SPAN></P> Fri, 05 Feb 2021 17:35:55 GMT https://community.splunk.com/t5/Splunk-Search/Regex-help/m-p/538803#M152349 tkerr1357 2021-02-05T17:35:55Z https://community.splunk.com/t5/Splunk-Search/Regex-help/m-p/538804#M152350 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/34998">@tkerr1357</a>,</P><P>please, try this:</P><LI-CODE lang="markup">| rex "Actual\s+value\":\s+\"(?&lt;actual_value&gt;[^\"]+)\""</LI-CODE><P>that you can test at&nbsp;<A href="https://regex101.com/r/0CVPNF/1" target="_blank">https://regex101.com/r/0CVPNF/1</A></P><P>Ciao.</P><P>Giuseppe</P> Fri, 05 Feb 2021 17:40:48 GMT https://community.splunk.com/t5/Splunk-Search/Regex-help/m-p/538804#M152350 gcusello 2021-02-05T17:40:48Z https://community.splunk.com/t5/Splunk-Search/Regex-help/m-p/538806#M152352 <P>This may help..</P><P>|makeresults | eval _raw="LogName=LoginPI Events EventCode=1300 EventType=4 ComputerName=RNBSVSIMGT02.rightnetworks.com SourceName=Login Threshold Exceeded Type=Information RecordNumber=285782 Keywords=Classic TaskCategory=None OpCode=Info Message={ \"Description\": \"Total login time (48s) exceeded threshold of 45s (6.67%)\", \"Actual value\": \"48\", \"Threshold value\": \"45\", \"AccountId\": \"4c06e54e-ab5f-47a6-2cc7-08d807c9fae2\", \"AccountName\": \"rightnetworks\\eloginpi049\", \"LauncherName\": \"RNBSVSI21\", \"Locale\": \"English (United States)\", \"RemotingProtocol\": \"Rdp\", \"Resolution\": \"1920 × 1080\", \"ScaleFactor\": \"100%\", \"TargetHost\": \"BPSQCP00S143\", \"TargetOS\": \"Microsoft Windows Server 2016 Standard 10.0.14393 (1607)\", \"EnvironmentName\": \"BPSQCP00S143\", \"EnvironmentId\": \"06a3c4a2-6f73-4c54-94e9-08d8040960f8\", \"Title\": \"Login time threshold exceeded" | rex field=_raw "Actual value\\\":\s+\\\"(?&lt;actual_value&gt;\d+)"</P> Fri, 05 Feb 2021 17:45:07 GMT https://community.splunk.com/t5/Splunk-Search/Regex-help/m-p/538806#M152352 saravanan90 2021-02-05T17:45:07Z https://community.splunk.com/t5/Splunk-Search/Regex-help/m-p/538811#M152355 <P>both of those worked thank you !!!</P> Fri, 05 Feb 2021 18:17:52 GMT https://community.splunk.com/t5/Splunk-Search/Regex-help/m-p/538811#M152355 tkerr1357 2021-02-05T18:17:52Z