https://community.splunk.com/t5/Splunk-Search/Help-on-REGEX-match-ignoring-non-mandatory-string-at-its-end/m-p/550264#M156145 <P>something like this maybe?<BR /><BR /></P><LI-CODE lang="markup">\((?&lt;rule_name&gt;.*?)(?:-00)?\)$</LI-CODE> Mon, 03 May 2021 19:24:54 GMT maciep 2021-05-03T19:24:54Z https://community.splunk.com/t5/Splunk-Search/Help-on-REGEX-match-ignoring-non-mandatory-string-at-its-end/m-p/550256#M156141 <P>Hello,</P><P>i searched few hours how to extract the RULE_NAME field from my Firewall logs without success.</P><P>RULE_NAME is at the end of the log line, between (). It can contain any characters, space, "-" or "_".</P><P>My problem comes from the fact that the RULE_NAME is sometimes finished by a 3 characters string i need to remove : "-00"</P><P>&nbsp;</P><P>Here is my actual REGEX, but it does't works for the simple "Internal Policy" RULE_NAME :&nbsp;</P><P>.*\s+\((?P&lt;RULE_NAME&gt;.*)?(-00)\)$</P><P>&nbsp;</P><P>Here are original logs lines i need to match :</P><P>May 3 16:35:02 10.40.1.254 May 3 16:35:02 MYFIREWALL.mycorp.lan firewall: msg_id="3000-0148" Allow 0-SSL-VPN Firebox 73 udp 20 128 172.XXX.XXX.14 172.XXX.XXX.1 54127 53 src_user="fgi@mycorp.com" (DNS-01-proxy_user.out-00)<BR />May 3 17:39:56 10.40.1.254 May 3 17:39:56 MYFIREWALL.mycorp.lan firewall: msg_id="3000-0148" Allow VLAN1-Lan-Trusted Firebox 69 udp 20 128 172.21.20.26 172.21.20.254 52481 53 msg="DNS Forwarding" src_user="yal@mycorp.lan" record_type="A" question="sync.srv.stackadapt.com" (Internal Policy)<BR />May 3 16:35:02 10.40.1.254 May 3 16:35:02 MYFIREWALL.mycorp.lan firewall: msg_id="3000-0148" Allow 0-SSL-VPN Firebox 73 udp 20 128 172.XXX.XXX.14 172.XXX.XXX.1 54127 53 src_user="fgi@mycorp.com" (My super rule name with space DNS.out)</P><P>Any idea on how to ignore the "-00" suffix when present ?</P><P>thanks</P><P>Florent</P><P>&nbsp;</P> Mon, 03 May 2021 17:57:04 GMT https://community.splunk.com/t5/Splunk-Search/Help-on-REGEX-match-ignoring-non-mandatory-string-at-its-end/m-p/550256#M156141 Flo-Paris 2021-05-03T17:57:04Z https://community.splunk.com/t5/Splunk-Search/Help-on-REGEX-match-ignoring-non-mandatory-string-at-its-end/m-p/550264#M156145 <P>something like this maybe?<BR /><BR /></P><LI-CODE lang="markup">\((?&lt;rule_name&gt;.*?)(?:-00)?\)$</LI-CODE> Mon, 03 May 2021 19:24:54 GMT https://community.splunk.com/t5/Splunk-Search/Help-on-REGEX-match-ignoring-non-mandatory-string-at-its-end/m-p/550264#M156145 maciep 2021-05-03T19:24:54Z https://community.splunk.com/t5/Splunk-Search/Help-on-REGEX-match-ignoring-non-mandatory-string-at-its-end/m-p/550270#M156148 <P>Thanks, it's perfect, seems so simple...when you master Regex ;-))</P> Mon, 03 May 2021 20:02:09 GMT https://community.splunk.com/t5/Splunk-Search/Help-on-REGEX-match-ignoring-non-mandatory-string-at-its-end/m-p/550270#M156148 Flo-Paris 2021-05-03T20:02:09Z https://community.splunk.com/t5/Splunk-Search/Help-on-REGEX-match-ignoring-non-mandatory-string-at-its-end/m-p/550387#M156184 <P>speaking of which....in case there are some rogues parens in the message, maybe this is even a bit safer - instead of matching everything...</P><LI-CODE lang="markup">\((?&lt;rule_name&gt;[^\(]+?)(?:-00)?\)$</LI-CODE><P>&nbsp;</P> Tue, 04 May 2021 12:12:23 GMT https://community.splunk.com/t5/Splunk-Search/Help-on-REGEX-match-ignoring-non-mandatory-string-at-its-end/m-p/550387#M156184 maciep 2021-05-04T12:12:23Z