https://community.splunk.com/t5/Splunk-Search/Need-to-create-rex-group-expression/m-p/550150#M156122 <P>&nbsp;</P><LI-CODE lang="markup">\[[^\]]+\]\s+\w+\s(?&lt;service&gt;[^\/]+)\/((\w+\-)*?|)(?&lt;hostname&gt;\w+)(\-(?&lt;port&gt;\d+)|)?\s(\d+\/){4}(?&lt;response&gt;\d+)\s+</LI-CODE><P>&nbsp;</P> Sun, 02 May 2021 22:49:54 GMT ITWhisperer 2021-05-02T22:49:54Z https://community.splunk.com/t5/Splunk-Search/Need-to-create-rex-group-expression/m-p/550030#M156084 <P>Apr 30 09:13:30 localhost haproxy[22865]: 10.10.10.10:31872 [30/Apr/2021:09:13:30.362] verint rest_service/rest-hostname-8780 0/0/0/10/12 302 1973 - X-CSRF-TOKEN=NtOTKgh2hfTpjwTuRmx269ZR5qQhDRUtAOf0 ---- 32/32/6/0/0 0/0 {} "GET /test/te/ping/login HTTP/1.1"</P><P>Apr 30 09:13:30 localhost haproxy[22865]: 10.10.10.10:52353 [30/Apr/2021:09:13:30.322] verint rest_service/rest-hostname-8680 0/0/0/1/1 200 11537 - - ---- 32/32/6/1/0 0/0 {} "GET /filterservices/css/filters.css HTTP/1.1" Apr 30 09:13:30 localhost haproxy[22865]: 10.10.10.10:42112</P><P>[30/Apr/2021:09:13:30.059] verint rest_service/rest-hostname-8780 0/0/12/143/202 200 122948 - - ---- 32/32/7/0/0 0/0 {} "GET /verintkm/js/tree.jquery.js HTTP/1.1"</P><P>the below rex expression is working fine until the port number for above events. Now I am trying add expression for "0/0/12/143/202 200". After the port group I need to create another group name (response time) for the value 202 which is the last value after forward slash.[expr/expres/expre/expres/group name]</P><P>&nbsp;</P><LI-CODE lang="markup">\[[^\]]+\]\s\w+\s(?&lt;service&gt;[^\/]+)\/\w+\-(?&lt;hostname&gt;\w+)\-(?&lt;port&gt;\d+)\s+</LI-CODE><P>&nbsp;</P> Fri, 30 Apr 2021 15:10:59 GMT https://community.splunk.com/t5/Splunk-Search/Need-to-create-rex-group-expression/m-p/550030#M156084 ravir_jbp 2021-04-30T15:10:59Z https://community.splunk.com/t5/Splunk-Search/Need-to-create-rex-group-expression/m-p/550036#M156086 <LI-CODE lang="markup">\[[^\]]+\]\s\w+\s(?&lt;service&gt;[^\/]+)\/\w+\-(?&lt;hostname&gt;\w+)\-(?&lt;port&gt;\d+)\s+(\d+\/){4}(?&lt;response&gt;\d+)\s+</LI-CODE> Fri, 30 Apr 2021 16:35:12 GMT https://community.splunk.com/t5/Splunk-Search/Need-to-create-rex-group-expression/m-p/550036#M156086 ITWhisperer 2021-04-30T16:35:12Z https://community.splunk.com/t5/Splunk-Search/Need-to-create-rex-group-expression/m-p/550149#M156121 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225168">@ITWhisperer</a>&nbsp;</P><P>Thank you for your quick reponse. This script worked for two type of events. When I tried to search I have 14 different type of events in Haproxy logs. in regix101 site I was able to find only two type of events. I have mentioned the 14 different type of events. Can you help me to add few expression so that it matches for all evets. I tried for many hours by not getting the group name field.&nbsp; Please help.</P><P>&nbsp;</P><LI-CODE lang="markup">May 2 12:46:10 localhost haproxy[59527]: XX.XX.XX.XX:64321 [02/May/2021:12:46:10.887] vendor tag_service/tag-service-hostname 0/0/0/4/4 200 1384 - - ---- 2/2/0/0/0 0/0 {} "GET /km-tag-service/default/tag/newchange?flatten=true&amp;size=150 HTTP/1.1" May 2 12:46:10 localhost haproxy[59527]: XX.XX.XX.XX:30273 [02/May/2021:12:46:10.801] vendor apache_static/apache-hostname 0/0/0/21/22 200 21076 - - ---- 3/3/0/0/0 0/0 {} "GET /filestorage/KM/files/uploaded/ssfadfadfasdf HTTP/1.1" May 2 12:46:10 localhost haproxy[59527]: XX.XX.XX.XX:46529 [02/May/2021:12:46:10.576] vendor km_bookmark_service/km-bookmark-hostname 0/0/0/198/198 200 1204 - - ---- 2/2/0/0/0 0/0 {} "GET /km-bookmark-service/default/bookmark/test/KfsafasdfsadffdfdfsdF79?lang=en-US HTTP/1.1" May 2 12:46:10 localhost haproxy[59527]: XX.XX.XX.XX:65505 [02/May/2021:12:46:10.599] vendor soap_services/soap-hostname-8281 0/0/0/166/166 200 26596 - - ---- 4/4/0/0/0 0/0 {} "POST /GTConnect/StatelessSoapAcceptor/?gtxInitialProcess=AddKnowContentServices.API.BookmarkService.KMBookmarkServiceV1 HTTP/1.1" May 2 12:46:10 localhost haproxy[59527]: XX.XX.XX.XX:34269 [02/May/2021:12:46:10.578] vendor all_solr_servers/solr-slave-hostname 0/0/0/8/10 200 2777 - - ---- 4/4/0/0/0 0/0 {} "POST /solr/KM/select HTTP/1.1" May 2 12:46:10 localhost haproxy[56287]: XX.XX.XX.XX:5697 [02/May/2021:12:46:09.960] vendor asset_service/asset-service-hostname 0/0/0/868/870 200 25069 - - ---- 3/3/0/0/0 0/0 {} "GET /km-asset-service/default/asset/file/Hospital_Reference_Laboratory_Protocol_Denial_Time1617629752632.htm?contentID=KMlJd3VMJI5Q8E08h95F79&amp;lang=en-US&amp;version=10.0 HTTP/1.1" May 2 12:46:10 localhost haproxy[15523]: XX.XX.XX.XX:15361 [02/May/2021:12:46:10.429] vendor km_content_service/km-content-hostname 0/0/0/227/227 204 252 - - ---- 1/1/1/0/0 0/0 {} "POST /km-content-service/default/content/vkm:AuthoredContent/46eccba9-2902-4c9b-a51b-4669726ddbc5/en-US?externalSearchId=asfafasdfdsfsadfdfadfsafasdfc HTTP/1.1" May 2 12:46:10 localhost haproxy[14380]: XX.XX.XX.XX:43521 [02/May/2021:12:46:09.945] vendor rest_service/rest-hostname-8780 0/0/0/887/887 200 21245 X-CSRF-TOKEN=2ofYcQfOxKKvm938FvZt79rSWXPnc7yqr91f - ---- 4/4/0/0/0 0/0 {} "GET /contentservices/km/asset/gasdfasdfsd.test.com%3A443 HTTP/1.1" May 2 12:46:05 localhost haproxy[15523]: XX.XX.XX.XX:12647 [02/May/2021:12:46:05.720] vendor km_search_service/km-search-hostname 0/0/0/271/272 200 66149 - - ---- 0/0/0/0/0 0/0 {} "GET /km-search-service/default/search?query=search%20callback&amp;tag=kbas HTTP/1.1" May 2 12:46:02 localhost haproxy[22865]: XX.XX.XX.XX:26962 [02/May/2021:12:44:02.074] vendor agent_desktop/hostname-8283 0/0/0/120003/120003 200 8857 X-CSRF-TOKEN=adfadsfdafdffdafsdafsd - --VN 3/3/2/0/0 0/0 {} "POST /GTConnect/UnifiedAcceptor/?mode=pushconnect&amp;logicalSessionID=AddKnowPageSetServices.Implementation.PageSetV1.RestPageSet&amp;window=primaryWindow HTTP/1.1" May 2 12:46:01 localhost haproxy[59527]: XX.XX.XX.XX:2113 [02/May/2021:12:46:01.533] vendor km_indexer/km-indexer-hostname 0/0/0/6/6 200 126 - - ---- 3/3/0/0/0 0/0 {} "GET /search-contribution/admin/v1/isIndexFieldCacheStale?timestamp=1619842290988 HTTP/1.1" May 2 12:45:42 localhost haproxy[56287]: XX.XX.XX.XX:39617 [02/May/2021:12:45:42.144] vendor agent_service/agent-services-hostname 0/0/0/154/155 200 2646 - - ---- 3/3/0/0/0 0/0 {} "GET /agent-service/defauasfdasfsdfsions?profiletest HTTP/1.1" May 2 12:45:42 localhost haproxy[59527]: XX.XX.XX.XX:46529 [02/May/2021:12:45:41.950] vendor cre_services/cre-services-hostname 0/0/0/362/362 200 2829 - - ---- 2/2/0/0/0 0/0 {} "POST /oidc-token-service/default/token HTTP/1.1" May 2 12:45:42 localhost haproxy[15523]: XX.XX.XX.XX:42189 [02/May/2021:12:45:41.992] vendor agent_synchronizer/agent-synchronizer-hostname 0/0/0/142/142 200 627 - - ---- 2/2/0/0/0 0/0 {} "POST /agent-synchronizer/default/synchronizedAgent HTTP/1.1"</LI-CODE><P>&nbsp;</P> Sun, 02 May 2021 18:09:03 GMT https://community.splunk.com/t5/Splunk-Search/Need-to-create-rex-group-expression/m-p/550149#M156121 ravir_jbp 2021-05-02T18:09:03Z https://community.splunk.com/t5/Splunk-Search/Need-to-create-rex-group-expression/m-p/550150#M156122 <P>&nbsp;</P><LI-CODE lang="markup">\[[^\]]+\]\s+\w+\s(?&lt;service&gt;[^\/]+)\/((\w+\-)*?|)(?&lt;hostname&gt;\w+)(\-(?&lt;port&gt;\d+)|)?\s(\d+\/){4}(?&lt;response&gt;\d+)\s+</LI-CODE><P>&nbsp;</P> Sun, 02 May 2021 22:49:54 GMT https://community.splunk.com/t5/Splunk-Search/Need-to-create-rex-group-expression/m-p/550150#M156122 ITWhisperer 2021-05-02T22:49:54Z