https://community.splunk.com/t5/Splunk-Search/Field-extraction-Help/m-p/551792#M156589 <P>The status is not necessarily Turn On, I will also need to extract the word "Execute" where the location of the word is not the same for the case of "Execute All Appliances" and "In process to Execute".</P><P>&nbsp;</P><P>I am actually looking if there is anyway I can extract those words regardless of the location in the sentence.</P> Mon, 17 May 2021 07:44:34 GMT moinyuso96 2021-05-17T07:44:34Z https://community.splunk.com/t5/Splunk-Search/Field-extraction-Help/m-p/551770#M156581 <P><STRONG><U>Description&nbsp;</U>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;</STRONG></P><P><STRONG>Recorded value for [Turn On Test 123]</STRONG></P><P><STRONG>Recorded value for [Turn On Test 456]</STRONG></P><P><STRONG>Execute all Appliances</STRONG></P><P><STRONG>In process to Execute</STRONG></P><P>&nbsp;</P><P>I would like to create another field name "Status" whereby it only extract "Turn On" for "Recorded value for [Turn On Test xxx]" and "Execute" for "Execute&nbsp;all Appliances" &amp; "In process to Execute"</P> Mon, 17 May 2021 03:16:13 GMT https://community.splunk.com/t5/Splunk-Search/Field-extraction-Help/m-p/551770#M156581 moinyuso96 2021-05-17T03:16:13Z https://community.splunk.com/t5/Splunk-Search/Field-extraction-Help/m-p/551780#M156586 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/234296">@moinyuso96</a>,</P><P>the extraction of a field in logs ad the ones you shared is easy, only one question: the status is always a dondition of two words (e.g. Turn on, Turn off, etc...) or not?</P><P>The possible statuses are fixed (e.g. only "Turn on" and Turn off"?</P><P>I ask this to exactly define the content of the status ield.</P><P>So if the status is always composed by two words, try this:</P><LI-CODE lang="markup">| rex "\[(?&lt;status&gt;\w+\s\w+)"</LI-CODE><P>that you can test at&nbsp;<A href="https://regex101.com/r/VAPtVU/1" target="_blank">https://regex101.com/r/VAPtVU/1</A></P><P>Ciao.</P><P>Giuseppe</P> Mon, 17 May 2021 05:55:04 GMT https://community.splunk.com/t5/Splunk-Search/Field-extraction-Help/m-p/551780#M156586 gcusello 2021-05-17T05:55:04Z https://community.splunk.com/t5/Splunk-Search/Field-extraction-Help/m-p/551792#M156589 <P>The status is not necessarily Turn On, I will also need to extract the word "Execute" where the location of the word is not the same for the case of "Execute All Appliances" and "In process to Execute".</P><P>&nbsp;</P><P>I am actually looking if there is anyway I can extract those words regardless of the location in the sentence.</P> Mon, 17 May 2021 07:44:34 GMT https://community.splunk.com/t5/Splunk-Search/Field-extraction-Help/m-p/551792#M156589 moinyuso96 2021-05-17T07:44:34Z https://community.splunk.com/t5/Splunk-Search/Field-extraction-Help/m-p/551795#M156590 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/234296">@moinyuso96</a>,</P><P>as I said, the problem is that to correctly extract the status I need to know the format or the values of the status field.</P><P>If the values fo the status are defined and in a limitated number you can put these values in the regex, e.g. if the possible values are only "Tun On", "Turn Off" and "Execute", you could use them in the regex:</P><LI-CODE lang="markup">| rex "\[(?&lt;status&gt;Turn On|Turn Off|Execute)"</LI-CODE><P>as you can see in <A href="https://regex101.com/r/VAPtVU/2" target="_blank">https://regex101.com/r/VAPtVU/2</A></P><P>Ciao.</P><P>Giuseppe</P> Mon, 17 May 2021 07:51:46 GMT https://community.splunk.com/t5/Splunk-Search/Field-extraction-Help/m-p/551795#M156590 gcusello 2021-05-17T07:51:46Z https://community.splunk.com/t5/Splunk-Search/Field-extraction-Help/m-p/551866#M156604 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/234296">@moinyuso96</a>,</P><P>good for you, see next time!</P><P>Ciao and happy splunking.</P><P>Giuseppe</P><P>P.S.: Karma Points are appreciated <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Mon, 17 May 2021 12:30:34 GMT https://community.splunk.com/t5/Splunk-Search/Field-extraction-Help/m-p/551866#M156604 gcusello 2021-05-17T12:30:34Z