https://community.splunk.com/t5/Splunk-Search/Field-extraction-for-multiple-types-of-values/m-p/541709#M153375 <P>Hello all,</P><P>I am trying to extract the data from the field <U><STRONG>evtComponent</STRONG></U> from the below event, and this has a multiple types of data that is coming in as below.</P><P>1)&nbsp;ZENOSS-MIB::evtComponent = STRING: "<U><STRONG>HostSystem_host-1240</STRONG></U>" ZENOSS-MIB::evtClass = STRING: "/Status/Ping"</P><P>2)&nbsp;ZENOSS-MIB::evtComponent = STRING: "\"<U><STRONG>London</STRONG></U>\"" ZENOSS-MIB::evtClass = STRING:</P><P>&nbsp;</P><P>The highlighted fields needs to be extracted, however when I use the below extraction this only satisfies the correct extraction on example 1 but fails to just extract the field from example 2. Can you please suggest.</P><P>Below is the extraction that I am using.</P><P>ZENOSS-MIB::evtComponent = STRING: \"(?&lt;component&gt;.*)\"\s+ZENOSS-MIB::evtClass\s</P><P>&nbsp;</P><P>Thank you.</P> Mon, 01 Mar 2021 07:12:19 GMT srinivasgowda 2021-03-01T07:12:19Z https://community.splunk.com/t5/Splunk-Search/Field-extraction-for-multiple-types-of-values/m-p/541709#M153375 <P>Hello all,</P><P>I am trying to extract the data from the field <U><STRONG>evtComponent</STRONG></U> from the below event, and this has a multiple types of data that is coming in as below.</P><P>1)&nbsp;ZENOSS-MIB::evtComponent = STRING: "<U><STRONG>HostSystem_host-1240</STRONG></U>" ZENOSS-MIB::evtClass = STRING: "/Status/Ping"</P><P>2)&nbsp;ZENOSS-MIB::evtComponent = STRING: "\"<U><STRONG>London</STRONG></U>\"" ZENOSS-MIB::evtClass = STRING:</P><P>&nbsp;</P><P>The highlighted fields needs to be extracted, however when I use the below extraction this only satisfies the correct extraction on example 1 but fails to just extract the field from example 2. Can you please suggest.</P><P>Below is the extraction that I am using.</P><P>ZENOSS-MIB::evtComponent = STRING: \"(?&lt;component&gt;.*)\"\s+ZENOSS-MIB::evtClass\s</P><P>&nbsp;</P><P>Thank you.</P> Mon, 01 Mar 2021 07:12:19 GMT https://community.splunk.com/t5/Splunk-Search/Field-extraction-for-multiple-types-of-values/m-p/541709#M153375 srinivasgowda 2021-03-01T07:12:19Z https://community.splunk.com/t5/Splunk-Search/Field-extraction-for-multiple-types-of-values/m-p/541710#M153376 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/231485">@srinivasgowda</a>,</P><P>you should try to use two regexes:</P><P>the first</P><LI-CODE lang="markup">| rex "evtComponent\s+\=\s+STRING:\s+\"(?&lt;evtComponent&gt;[^\"]+)\"\s+"</LI-CODE><P>that you can test at&nbsp;<A href="https://regex101.com/r/Ip8Vj2/1" target="_blank">https://regex101.com/r/Ip8Vj2/1</A></P><P>the second</P><LI-CODE lang="markup">| rex "evtComponent\s+\=\s+STRING:\s+\"\\\"(?&lt;evtComponent&gt;[^\\]+)"</LI-CODE><P>that you can test at&nbsp;<A href="https://regex101.com/r/Ip8Vj2/2" target="_blank">https://regex101.com/r/Ip8Vj2/2</A></P><P>Ciao.</P><P>Giuseppe</P> Mon, 01 Mar 2021 07:34:43 GMT https://community.splunk.com/t5/Splunk-Search/Field-extraction-for-multiple-types-of-values/m-p/541710#M153376 gcusello 2021-03-01T07:34:43Z https://community.splunk.com/t5/Splunk-Search/Field-extraction-for-multiple-types-of-values/m-p/542478#M153666 <P>This worked. Thank you&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/161352">@gcusello</a>&nbsp;</P> Fri, 05 Mar 2021 07:49:13 GMT https://community.splunk.com/t5/Splunk-Search/Field-extraction-for-multiple-types-of-values/m-p/542478#M153666 srinivasgowda 2021-03-05T07:49:13Z