https://community.splunk.com/t5/Splunk-Search/REGEX-with-variabilities-in-Data-Length-Structure-Type/m-p/557892#M158445 <P>If your problem is resolved, then please click the "Accept as Solution" button to help future readers.</P> Wed, 30 Jun 2021 18:40:34 GMT richgalloway 2021-06-30T18:40:34Z https://community.splunk.com/t5/Splunk-Search/REGEX-with-variabilities-in-Data-Length-Structure-Type/m-p/557652#M158374 <P>2019-06-201 09:05:22.945, &nbsp;User: XX, EType: SIGN, Filter: 000000000, EventId: SIGNATURE, Id: 028119296, UserIdType: xxx, Address: 000.000.100.100, SystemName: Neno, SId: <FONT color="#FF0000"><STRONG>adb155b9-b3aa-4a64-8312-33f8f41de96d, TransType: SDLN, Tid: 9200001193, UserNm: xxx aaa, UType: yyyy, UId: 67B7-xxxx-bbbb-6abr-E0B1D9B6083B, Level: BoM3, Form: MOB, IntentId: 531, Timestamp: 2019-06-29T14:05:22.954Z</STRONG></FONT>, ExtCode: 00, Message: null. <SPAN>2019-06-21</SPAN> <SPAN>06:30:30.107</SPAN>, <SPAN>User:</SPAN> YYY, <SPAN>EType:</SPAN> no<SPAN>SIGN</SPAN>, <SPAN>Filter:</SPAN> <SPAN>000000000</SPAN>, <SPAN>EventId:</SPAN> <SPAN>No_SIGNATURES</SPAN>,<SPAN>Id:</SPAN> 00<SPAN>234545345</SPAN>-, <SPAN>Address:</SPAN> 000<SPAN>.111.222.005</SPAN>, <SPAN>SystemName:</SPAN> Neno, <SPAN>SId:</SPAN> <FONT color="#FF0000"><STRONG>=/=S()A.b(X(-yJrV/+do)f(Q_)uW-/6+o_v.k|3dOYc+Fh_=YOX-iDA++===, TType: CAF_dLn, TId: ThisIsAutomation</STRONG></FONT>, Ext<SPAN>Code:</SPAN> <SPAN>00, </SPAN>Message: null.</P><P>&nbsp;</P><P>I included 2 sample events. My objective is to extract "Sid" field values. The field values should contain all text between SId and ExtCode (Highlighted as Bold RED). Any help will be highly appreciated! Thank you.</P><P>&nbsp;</P> Tue, 29 Jun 2021 18:01:57 GMT https://community.splunk.com/t5/Splunk-Search/REGEX-with-variabilities-in-Data-Length-Structure-Type/m-p/557652#M158374 SplunkDash 2021-06-29T18:01:57Z https://community.splunk.com/t5/Splunk-Search/REGEX-with-variabilities-in-Data-Length-Structure-Type/m-p/557714#M158396 <P>This should do it.</P><LI-CODE lang="markup">| rex "SId: (?&lt;sid&gt;.*?), ExtCode"</LI-CODE> Wed, 30 Jun 2021 00:25:28 GMT https://community.splunk.com/t5/Splunk-Search/REGEX-with-variabilities-in-Data-Length-Structure-Type/m-p/557714#M158396 richgalloway 2021-06-30T00:25:28Z https://community.splunk.com/t5/Splunk-Search/REGEX-with-variabilities-in-Data-Length-Structure-Type/m-p/557867#M158436 <P>I would also like to add a text&nbsp; "SID:" as a part of&nbsp; "sid" field values ...any help would be highly appreciated!</P><P>Thank you and Regards</P><P>&nbsp;</P> Wed, 30 Jun 2021 17:05:38 GMT https://community.splunk.com/t5/Splunk-Search/REGEX-with-variabilities-in-Data-Length-Structure-Type/m-p/557867#M158436 SplunkDash 2021-06-30T17:05:38Z https://community.splunk.com/t5/Splunk-Search/REGEX-with-variabilities-in-Data-Length-Structure-Type/m-p/557868#M158437 <LI-CODE lang="markup">| rex "(?&lt;sid&gt;SId: .*?), ExtCode"</LI-CODE> Wed, 30 Jun 2021 17:13:33 GMT https://community.splunk.com/t5/Splunk-Search/REGEX-with-variabilities-in-Data-Length-Structure-Type/m-p/557868#M158437 ITWhisperer 2021-06-30T17:13:33Z https://community.splunk.com/t5/Splunk-Search/REGEX-with-variabilities-in-Data-Length-Structure-Type/m-p/557874#M158438 <P>I used this....</P><P>SId:\s+(?P&lt;sid&gt;SId:&nbsp; .*),&nbsp; EXTCode</P><P>But not working....</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 30 Jun 2021 18:00:58 GMT https://community.splunk.com/t5/Splunk-Search/REGEX-with-variabilities-in-Data-Length-Structure-Type/m-p/557874#M158438 SplunkDash 2021-06-30T18:00:58Z https://community.splunk.com/t5/Splunk-Search/REGEX-with-variabilities-in-Data-Length-Structure-Type/m-p/557878#M158440 <P>You have used Sid: twice in the expression - use it once as I suggested.</P> Wed, 30 Jun 2021 18:06:28 GMT https://community.splunk.com/t5/Splunk-Search/REGEX-with-variabilities-in-Data-Length-Structure-Type/m-p/557878#M158440 ITWhisperer 2021-06-30T18:06:28Z https://community.splunk.com/t5/Splunk-Search/REGEX-with-variabilities-in-Data-Length-Structure-Type/m-p/557885#M158442 <P>Oh yes....thank you...working as expected, appreciated <span class="lia-unicode-emoji" title=":smiling_face_with_smiling_eyes:">😊</span>!!!</P> Wed, 30 Jun 2021 18:16:53 GMT https://community.splunk.com/t5/Splunk-Search/REGEX-with-variabilities-in-Data-Length-Structure-Type/m-p/557885#M158442 SplunkDash 2021-06-30T18:16:53Z https://community.splunk.com/t5/Splunk-Search/REGEX-with-variabilities-in-Data-Length-Structure-Type/m-p/557892#M158445 <P>If your problem is resolved, then please click the "Accept as Solution" button to help future readers.</P> Wed, 30 Jun 2021 18:40:34 GMT https://community.splunk.com/t5/Splunk-Search/REGEX-with-variabilities-in-Data-Length-Structure-Type/m-p/557892#M158445 richgalloway 2021-06-30T18:40:34Z