https://community.splunk.com/t5/Splunk-Search/How-to-get-certain-field-from-data-using-rex/m-p/551517#M156509 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/233122">@MeMilo09</a>&nbsp;</P><P>"for " forces a match against that exact text. Without it, your match should have included both the text before the base file name and the base file name itself. The source text doesn't need to begin with "for;" that would require additional logic in the regex.</P><P>The (?&lt;xxx&gt;...) sequence defines a capture group with name xxx. In Splunk, xxx becomes the extracted field name.</P><P>[^.]+ means "match one or more characters that are not a period." The match will stop when it encounters the dot in the file name.</P> Fri, 14 May 2021 01:11:06 GMT tscroggins 2021-05-14T01:11:06Z https://community.splunk.com/t5/Splunk-Search/How-to-get-certain-field-from-data-using-rex/m-p/551410#M156485 <P>Hey There,&nbsp;</P><P>I have seen the Splunk. com answers and the rex cheat sheets online. However, I cant seem to get rex command to work to extract what I need from the data. I only need the&nbsp;XX_LMP_123456789_123 without the .pdf.&nbsp; Can someone guide me on how to achieve this?&nbsp;<BR /><BR />just need&nbsp;XX_LMP_123456789_123&nbsp;</P><LI-CODE lang="markup">failureMsg="Failure to populate pdf file for XX_LMP_123456789_123.pdf in LOB_1234567_9_4567890_delivery_.pdf" </LI-CODE><P>&nbsp;</P> Thu, 13 May 2021 00:28:19 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-certain-field-from-data-using-rex/m-p/551410#M156485 MeMilo09 2021-05-13T00:28:19Z https://community.splunk.com/t5/Splunk-Search/How-to-get-certain-field-from-data-using-rex/m-p/551411#M156486 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/233122">@MeMilo09</a>&nbsp;</P><P>This should work:</P><P>| rex field=failureMsg "for (?&lt;basename&gt;.*?)\\.pdf"</P><P>or this:</P><P><SPAN>| rex field=failureMsg "for (?&lt;basename&gt;[^.]+)"</SPAN></P><P>and others, depending on how much variation exists in your source text.</P> Thu, 13 May 2021 00:51:58 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-certain-field-from-data-using-rex/m-p/551411#M156486 tscroggins 2021-05-13T00:51:58Z https://community.splunk.com/t5/Splunk-Search/How-to-get-certain-field-from-data-using-rex/m-p/551514#M156508 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/49493">@tscroggins</a>&nbsp;<BR /><BR />Thanks for your help this works perfectly.&nbsp; would you mind explaining the rex characters<BR /><BR /><SPAN>| rex field=failureMsg "for (?&lt;basename&gt;[^.]+)"</SPAN><BR /><BR /><STRONG>"for</STRONG>" why use for here ?- this actually works even if the failureMsg does not begin with for, but not sure why.&nbsp;<BR /><BR /><STRONG>?</STRONG>&nbsp; stands for 0 or 1, but my failureMsg could have letters too and it works fine. Can you explain why it works?&nbsp;<BR /><BR /><SPAN><STRONG>[^.]+&nbsp;</STRONG>&nbsp;</SPAN>What is the rest doing - I am having a hard time understanding it&nbsp;<BR /><BR />Your explanation would be very helpful for me. Thanks in advance.&nbsp;</P> Thu, 13 May 2021 23:45:16 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-certain-field-from-data-using-rex/m-p/551514#M156508 MeMilo09 2021-05-13T23:45:16Z https://community.splunk.com/t5/Splunk-Search/How-to-get-certain-field-from-data-using-rex/m-p/551517#M156509 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/233122">@MeMilo09</a>&nbsp;</P><P>"for " forces a match against that exact text. Without it, your match should have included both the text before the base file name and the base file name itself. The source text doesn't need to begin with "for;" that would require additional logic in the regex.</P><P>The (?&lt;xxx&gt;...) sequence defines a capture group with name xxx. In Splunk, xxx becomes the extracted field name.</P><P>[^.]+ means "match one or more characters that are not a period." The match will stop when it encounters the dot in the file name.</P> Fri, 14 May 2021 01:11:06 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-certain-field-from-data-using-rex/m-p/551517#M156509 tscroggins 2021-05-14T01:11:06Z