https://community.splunk.com/t5/Splunk-Search/parse-and-index-json-fields-from-string-message/m-p/540414#M152887 <P>This gives me what i want but i am unable to index it in splunk&nbsp;</P><P>(?&lt;=streamstart-).*?(?=streamstop)</P> Thu, 18 Feb 2021 16:50:50 GMT vashodha 2021-02-18T16:50:50Z https://community.splunk.com/t5/Splunk-Search/parse-and-index-json-fields-from-string-message/m-p/540413#M152886 <P>Hello,</P><P>I have log in the format&nbsp;</P><P>"<SPAN class="t">2021-02-18T16:17:12</SPAN><SPAN>,</SPAN><SPAN class="t">189Z</SPAN><SPAN> [</SPAN><SPAN class="t">main</SPAN><SPAN>] </SPAN><SPAN class="t">INFO</SPAN>&nbsp;logname&nbsp;<SPAN class="t">-</SPAN><SPAN class="t">streamstart-k1:V1</SPAN><SPAN>,</SPAN><SPAN class="t">K2:V2</SPAN><SPAN>,</SPAN><SPAN class="t">K3:V3</SPAN><SPAN>,stream<SPAN class="t">stop, &lt;ADDIITONAL DATA&gt;</SPAN>"&nbsp; i want to parse out json elements k1:v1 etc thats between&nbsp; "-<SPAN class="t">streamstart" and&nbsp;streamstop</SPAN></SPAN></P> Thu, 18 Feb 2021 16:28:57 GMT https://community.splunk.com/t5/Splunk-Search/parse-and-index-json-fields-from-string-message/m-p/540413#M152886 vashodha 2021-02-18T16:28:57Z https://community.splunk.com/t5/Splunk-Search/parse-and-index-json-fields-from-string-message/m-p/540414#M152887 <P>This gives me what i want but i am unable to index it in splunk&nbsp;</P><P>(?&lt;=streamstart-).*?(?=streamstop)</P> Thu, 18 Feb 2021 16:50:50 GMT https://community.splunk.com/t5/Splunk-Search/parse-and-index-json-fields-from-string-message/m-p/540414#M152887 vashodha 2021-02-18T16:50:50Z https://community.splunk.com/t5/Splunk-Search/parse-and-index-json-fields-from-string-message/m-p/540434#M152893 <P>Try this</P><P>rex "<SPAN>streamstart(?&lt;myvariable&gt;(.*)(?=stream<SPAN class="t">stop</SPAN>))</SPAN>"</P><P>&nbsp;</P> Thu, 18 Feb 2021 19:43:51 GMT https://community.splunk.com/t5/Splunk-Search/parse-and-index-json-fields-from-string-message/m-p/540434#M152893 b4badri 2021-02-18T19:43:51Z https://community.splunk.com/t5/Splunk-Search/parse-and-index-json-fields-from-string-message/m-p/540443#M152896 <P>it does the job but still dosent index the fields its extracted it out to the variable&nbsp; can we somehow index these csv values</P> Thu, 18 Feb 2021 21:41:47 GMT https://community.splunk.com/t5/Splunk-Search/parse-and-index-json-fields-from-string-message/m-p/540443#M152896 vashodha 2021-02-18T21:41:47Z https://community.splunk.com/t5/Splunk-Search/parse-and-index-json-fields-from-string-message/m-p/540474#M152910 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/231655">@vashodha</a>&nbsp;</P><P>Yes. Data extracted using rex in the search time will only be available for the search. You need to follow series of steps based on your Splunk solution for creating fields at Index time.</P><P>Please refer the below article.</P><P><A href="https://docs.splunk.com/Documentation/Splunk/8.1.1/Data/Configureindex-timefieldextraction" target="_blank" rel="noopener">Create custom fields at index time - Splunk Documentation</A></P> Fri, 19 Feb 2021 06:30:40 GMT https://community.splunk.com/t5/Splunk-Search/parse-and-index-json-fields-from-string-message/m-p/540474#M152910 b4badri 2021-02-19T06:30:40Z