https://community.splunk.com/t5/Splunk-Search/Splunk-Query-Regular-Expression/m-p/549092#M155769 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/233766">@ramzadabala</a>,</P><P>if in your logs you haven't backslashes before ", your regex is correct.</P><P>if instead in your logs you have backslashes before " (as in the sample you shared), the regex isn't correct and you have to modify it in this way:</P><LI-CODE lang="markup">| rex "consumer_application\\\":\\\"(?P&lt;Consumer&gt;.*?)\\\""</LI-CODE><P>&nbsp;You can test the regex at&nbsp;<A href="https://regex101.com/r/us0W8H/1" target="_blank">https://regex101.com/r/us0W8H/1</A></P><P>Ciao.</P><P>Giuseppe</P> Fri, 23 Apr 2021 09:41:09 GMT gcusello 2021-04-23T09:41:09Z https://community.splunk.com/t5/Splunk-Search/Splunk-Query-Regular-Expression/m-p/549087#M155767 <DIV><DIV class="grid fd-column fw-nowrap"><DIV class="grid fw-nowrap"><DIV class="grid--cell wmn0 fl1 lh-lg">&nbsp;</DIV></DIV></DIV><DIV class="grid fw-nowrap fc-black-600"><DIV class="grid--cell mr8">Dear Team,</DIV><DIV class="grid--cell lh-md">&nbsp;</DIV></DIV><DIV class="mt24 grid gsx gs8"><SPAN>I've below Splunk log and trying to get stats count based on consumer_application. I've tried below regular expression but no results were returned -</SPAN></DIV><DIV class="mt24 grid gsx gs8">&nbsp;</DIV></DIV><P><STRONG>Splunk Query</STRONG>:<SPAN>&nbsp;</SPAN>"uri":* (PaymentVerticle) | rex field=_raw "consumer_application\"\:\"(?P&lt;Consumer&gt;.*?)\"" | stats count by Consumer</P><P><STRONG>Splunk Log</STRONG><SPAN>&nbsp;</SPAN>2021-04-22T11:31:25.115912284Z app_name=java message={"name":"PaymentVerticle", "timestamp":"2021-04-22T11:31:25.115Z","level":"info","schemaVersion":"0.1","application":{"name":"PaymentVerticle","version":"1.1.1"},"request":{"address":{"uri":"PaymentVerticle"},"metadata":{"correlation_id":"042320210010GMT"}},"message":"Received request with body {\"payment_request\":{\"consumer_application\":\"BLUEPRISM\"}}"}</P> Fri, 23 Apr 2021 09:12:43 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-Query-Regular-Expression/m-p/549087#M155767 ramzadabala 2021-04-23T09:12:43Z https://community.splunk.com/t5/Splunk-Search/Splunk-Query-Regular-Expression/m-p/549092#M155769 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/233766">@ramzadabala</a>,</P><P>if in your logs you haven't backslashes before ", your regex is correct.</P><P>if instead in your logs you have backslashes before " (as in the sample you shared), the regex isn't correct and you have to modify it in this way:</P><LI-CODE lang="markup">| rex "consumer_application\\\":\\\"(?P&lt;Consumer&gt;.*?)\\\""</LI-CODE><P>&nbsp;You can test the regex at&nbsp;<A href="https://regex101.com/r/us0W8H/1" target="_blank">https://regex101.com/r/us0W8H/1</A></P><P>Ciao.</P><P>Giuseppe</P> Fri, 23 Apr 2021 09:41:09 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-Query-Regular-Expression/m-p/549092#M155769 gcusello 2021-04-23T09:41:09Z