https://community.splunk.com/t5/Splunk-Search/REGEX/m-p/558812#M158767 <P><SPAN>Hi guys, im noob in regular expressions!!<BR /><BR />2021-07-05 23:22:12.807 +01:00 [WRN] XXXXX.Membership.Renew Long Running Request: IntegratePaymentCommand (1082 milliseconds) Jobs {"BatchSize":10,"MaxRetry":5,"$type":"IntegratePaymentCommand"}<BR /><BR /></SPAN><BR /><SPAN>What if I want to take [WRN] as event_level.. can be&nbsp; [WRN] or [ERR].</SPAN><BR /><SPAN>And ( xxxxx miliseconds) as time.</SPAN></P> Fri, 09 Jul 2021 09:46:31 GMT dteixeira98 2021-07-09T09:46:31Z https://community.splunk.com/t5/Splunk-Search/REGEX/m-p/558812#M158767 <P><SPAN>Hi guys, im noob in regular expressions!!<BR /><BR />2021-07-05 23:22:12.807 +01:00 [WRN] XXXXX.Membership.Renew Long Running Request: IntegratePaymentCommand (1082 milliseconds) Jobs {"BatchSize":10,"MaxRetry":5,"$type":"IntegratePaymentCommand"}<BR /><BR /></SPAN><BR /><SPAN>What if I want to take [WRN] as event_level.. can be&nbsp; [WRN] or [ERR].</SPAN><BR /><SPAN>And ( xxxxx miliseconds) as time.</SPAN></P> Fri, 09 Jul 2021 09:46:31 GMT https://community.splunk.com/t5/Splunk-Search/REGEX/m-p/558812#M158767 dteixeira98 2021-07-09T09:46:31Z https://community.splunk.com/t5/Splunk-Search/REGEX/m-p/558817#M158768 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/236225">@dteixeira98</a>&nbsp;Can you try this?</P><LI-CODE lang="markup">&lt;your_search_goes_here&gt; | rex "\[(?&lt;level&gt;\w+)\].+\((?&lt;time_taken&gt;\d+)\s+milliseconds"</LI-CODE><P>&nbsp;Field level will have WRN, ERR, ERROR etc and time_taken would be milliseconds.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="venkatasri_1-1625828579651.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/15001i9B5AD71604DF6D78/image-size/medium?v=v2&amp;px=400" role="button" title="venkatasri_1-1625828579651.png" alt="venkatasri_1-1625828579651.png" /></span></P><P>&nbsp;</P><P>--</P><P>An upvote would be appreciated and Accept solution if this reply helps!</P> Fri, 09 Jul 2021 11:03:09 GMT https://community.splunk.com/t5/Splunk-Search/REGEX/m-p/558817#M158768 venkatasri 2021-07-09T11:03:09Z https://community.splunk.com/t5/Splunk-Search/REGEX/m-p/558825#M158770 <P>Thanks that really helped me!</P> Fri, 09 Jul 2021 11:29:54 GMT https://community.splunk.com/t5/Splunk-Search/REGEX/m-p/558825#M158770 dteixeira98 2021-07-09T11:29:54Z https://community.splunk.com/t5/Splunk-Search/REGEX/m-p/558826#M158771 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/236225">@dteixeira98</a>&nbsp; Great! Appreciate if you could Accept the solution that helps others.</P> Fri, 09 Jul 2021 11:30:55 GMT https://community.splunk.com/t5/Splunk-Search/REGEX/m-p/558826#M158771 venkatasri 2021-07-09T11:30:55Z