https://community.splunk.com/t5/Splunk-Search/rex-extraction-user-amp-module/m-p/559757#M159033 <P>sorry for miss spelling it is&nbsp;module I modify last reply.</P><P>and try this but not work</P><DIV class="lia-message-body lia-component-message-view-widget-body lia-component-body-signature-highlight-escalation lia-component-message-view-widget-body-signature-highlight-escalation"><DIV class="lia-message-body-content"><P><SPAN>rex "User\:(?&lt;user&gt;.+)\s\|\|\s(module\:(?&lt;module&gt;.+)"</SPAN></P><P>&nbsp;</P><P><SPAN>Any idea?</SPAN></P><P><SPAN>Thanks</SPAN></P></DIV></DIV><DIV class="lia-panel lia-panel-standard MessageTagsTaplet Chrome lia-component-message-view-widget-tags"><DIV class="lia-decoration-border"><DIV class="lia-decoration-border-top"><DIV>&nbsp;</DIV></DIV><DIV class="lia-decoration-border-content"><DIV><DIV class="lia-panel-content-wrapper"><DIV class="lia-panel-content"><DIV class="AddMessageTags lia-message-tags">&nbsp;</DIV></DIV></DIV></DIV></DIV></DIV></DIV> Fri, 16 Jul 2021 06:01:42 GMT indeed_2000 2021-07-16T06:01:42Z https://community.splunk.com/t5/Splunk-Search/rex-extraction-user-amp-module/m-p/559665#M158994 <DIV class="shared-eventsviewer-shared-rawfield"><DIV class="raw-event normal wrap "><SPAN class="t">Hi</SPAN></DIV><DIV class="raw-event normal wrap "><SPAN class="t">Here is my log, what is the rex for extract "0000A0@#0000" and "mymodulename"</SPAN></DIV><DIV class="raw-event normal wrap ">&nbsp;</DIV><DIV class="raw-event normal wrap "><SPAN class="t">2021-07-14</SPAN> <SPAN class="t">23:59:05</SPAN>,<SPAN class="t">185</SPAN> <SPAN class="t">INFO</SPAN> [<SPAN class="t">APP</SPAN>] <SPAN class="t a"><SPAN class="t">User:</SPAN></SPAN>&nbsp;0000A0<SPAN class="t">@#0000</SPAN>&nbsp;|| <SPAN class="t">module:</SPAN> <SPAN class="t">mymodulename</SPAN></DIV></DIV><DIV class="shared-eventsviewer-list-body-row-selectedfields">&nbsp;</DIV><DIV class="shared-eventsviewer-list-body-row-selectedfields">any idea?</DIV><DIV class="shared-eventsviewer-list-body-row-selectedfields">Thanks</DIV><DIV class="shared-eventsviewer-list-body-row-selectedfields">&nbsp;</DIV> Thu, 15 Jul 2021 17:45:55 GMT https://community.splunk.com/t5/Splunk-Search/rex-extraction-user-amp-module/m-p/559665#M158994 indeed_2000 2021-07-15T17:45:55Z https://community.splunk.com/t5/Splunk-Search/rex-extraction-user-amp-module/m-p/559679#M158999 <P>rex "User\:(?&lt;user&gt;.+)\s\|\|\smodule\:(?&lt;module&gt;.+)"</P><P>(field=_raw is added by default)</P> Thu, 15 Jul 2021 19:48:02 GMT https://community.splunk.com/t5/Splunk-Search/rex-extraction-user-amp-module/m-p/559679#M158999 efika 2021-07-15T19:48:02Z https://community.splunk.com/t5/Splunk-Search/rex-extraction-user-amp-module/m-p/559725#M159021 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/217339">@indeed_2000</a>&nbsp;</P><P>Can you try this?&nbsp;&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">&lt;your_search_goes_here&gt; | rex "User\:\s+(?&lt;user&gt;\S+)\s\|\|\smodule\:\s+(?&lt;module&gt;.+)$" | table user module </LI-CODE><P>&nbsp;</P><P>---</P><P>An upvote would be appreciated and Accept the solution if this reply helps!</P><P>&nbsp;</P> Fri, 16 Jul 2021 00:48:46 GMT https://community.splunk.com/t5/Splunk-Search/rex-extraction-user-amp-module/m-p/559725#M159021 venkatasri 2021-07-16T00:48:46Z https://community.splunk.com/t5/Splunk-Search/rex-extraction-user-amp-module/m-p/559747#M159027 <P>thank you for answer, it's not work on all user &amp; module name (both might have capital word or special character)</P><P>e.g.&nbsp;</P><P>2021-07-14 23:53:23,353 INFO [APP] User: A0000@#0000 || module: setNameDescription</P><P>2021-07-14 23:53:23,353 INFO [APP] User: A.Kay || module: setNameDescription</P><P>2021-07-14 23:53:23,353 INFO [APP] User: b_Kay || module: setNameDescription</P><P>&nbsp;</P><P>any idea?</P><P>Thanks,</P> Fri, 16 Jul 2021 05:59:17 GMT https://community.splunk.com/t5/Splunk-Search/rex-extraction-user-amp-module/m-p/559747#M159027 indeed_2000 2021-07-16T05:59:17Z https://community.splunk.com/t5/Splunk-Search/rex-extraction-user-amp-module/m-p/559748#M159028 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/217339">@indeed_2000</a>&nbsp;What you have originally provided having different log structure. User: || module:&nbsp;</P><P>These new logs having User: || method hence rex provided only works for module. Which one are correct events?</P><P>&nbsp;</P> Fri, 16 Jul 2021 05:22:26 GMT https://community.splunk.com/t5/Splunk-Search/rex-extraction-user-amp-module/m-p/559748#M159028 venkatasri 2021-07-16T05:22:26Z https://community.splunk.com/t5/Splunk-Search/rex-extraction-user-amp-module/m-p/559751#M159030 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/217339">@indeed_2000</a>&nbsp;This one works for method.&nbsp;</P><LI-CODE lang="markup">&lt;your_search&gt; | rex "User\:\s+(?&lt;user&gt;\S+)\s+\|\|\s+method:\s+(?&lt;method&gt;\S+)$" | table user method</LI-CODE><P>--</P><P>An upvote would be appreciated and accept solution if this reply helps!</P> Fri, 16 Jul 2021 05:25:18 GMT https://community.splunk.com/t5/Splunk-Search/rex-extraction-user-amp-module/m-p/559751#M159030 venkatasri 2021-07-16T05:25:18Z https://community.splunk.com/t5/Splunk-Search/rex-extraction-user-amp-module/m-p/559752#M159031 <P>Not a problem. use:</P><P>&nbsp;</P><P><SPAN>rex "User\:(?&lt;user&gt;.+)\s\|\|\s(module\:(?&lt;module&gt;.+)|method\:(?&lt;method&gt;.+))"</SPAN></P> Fri, 16 Jul 2021 05:28:01 GMT https://community.splunk.com/t5/Splunk-Search/rex-extraction-user-amp-module/m-p/559752#M159031 efika 2021-07-16T05:28:01Z https://community.splunk.com/t5/Splunk-Search/rex-extraction-user-amp-module/m-p/559757#M159033 <P>sorry for miss spelling it is&nbsp;module I modify last reply.</P><P>and try this but not work</P><DIV class="lia-message-body lia-component-message-view-widget-body lia-component-body-signature-highlight-escalation lia-component-message-view-widget-body-signature-highlight-escalation"><DIV class="lia-message-body-content"><P><SPAN>rex "User\:(?&lt;user&gt;.+)\s\|\|\s(module\:(?&lt;module&gt;.+)"</SPAN></P><P>&nbsp;</P><P><SPAN>Any idea?</SPAN></P><P><SPAN>Thanks</SPAN></P></DIV></DIV><DIV class="lia-panel lia-panel-standard MessageTagsTaplet Chrome lia-component-message-view-widget-tags"><DIV class="lia-decoration-border"><DIV class="lia-decoration-border-top"><DIV>&nbsp;</DIV></DIV><DIV class="lia-decoration-border-content"><DIV><DIV class="lia-panel-content-wrapper"><DIV class="lia-panel-content"><DIV class="AddMessageTags lia-message-tags">&nbsp;</DIV></DIV></DIV></DIV></DIV></DIV></DIV> Fri, 16 Jul 2021 06:01:42 GMT https://community.splunk.com/t5/Splunk-Search/rex-extraction-user-amp-module/m-p/559757#M159033 indeed_2000 2021-07-16T06:01:42Z https://community.splunk.com/t5/Splunk-Search/rex-extraction-user-amp-module/m-p/559758#M159034 <P>it worked! thank you! <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P>replace it with module</P> Fri, 16 Jul 2021 06:04:49 GMT https://community.splunk.com/t5/Splunk-Search/rex-extraction-user-amp-module/m-p/559758#M159034 indeed_2000 2021-07-16T06:04:49Z