https://community.splunk.com/t5/Splunk-Search/Regex-help/m-p/560509#M159291 <P>No, this was regex was unable to extract the user field</P> Thu, 22 Jul 2021 18:12:10 GMT SS1 2021-07-22T18:12:10Z https://community.splunk.com/t5/Splunk-Search/Regex-help/m-p/560428#M159265 <P>Hi,</P><P>I have below sources,</P><P>source =&nbsp; C:\Stats\user1\Tmpdata\Mappers\Consolesx\start.log</P><P>source =&nbsp; C:\Stats\user2\Tmpdata\Mappers\Consolesx\start.log</P><P>source = C:\Stats\user3\Tmpdata\Mappers\Consolesx\start.log</P><P>source = C:\Stats\user4\Tmpdata\Mappers\Consolesx\start.log</P><P>&nbsp;</P><P>Instead of displaying full paths i want the source to display just, can we have a rex for this one</P><P>source = user1</P><P>source = user2</P><P>source = user3</P><P>source = user4</P> Thu, 22 Jul 2021 03:49:22 GMT https://community.splunk.com/t5/Splunk-Search/Regex-help/m-p/560428#M159265 SS1 2021-07-22T03:49:22Z https://community.splunk.com/t5/Splunk-Search/Regex-help/m-p/560432#M159267 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225125">@SS1</a>&nbsp;</P><P><STRONG>Can you please try this?<BR /></STRONG></P><LI-CODE lang="markup">YOUR_SEARCH | rex field=source "C:\\\\Stats\\\\(?&lt;user&gt;\w+)\\\\" | table source user</LI-CODE><P>&nbsp;</P><P><STRONG>My Sample Search :</STRONG></P><LI-CODE lang="markup">| makeresults | eval _raw="_raw source = C:\Stats\user1\Tmpdata\Mappers\Consolesx\start.log source = C:\Stats\user2\Tmpdata\Mappers\Consolesx\start.log source = C:\Stats\user3\Tmpdata\Mappers\Consolesx\start.log source = C:\Stats\user4\Tmpdata\Mappers\Consolesx\start.log" | multikv forceheader=1| extract | rex field=source "C:\\\\Stats\\\\(?&lt;user&gt;\w+)\\\\" | table source user</LI-CODE><P>&nbsp;</P><P>Thanks<BR />KV<BR />▄︻̷̿┻̿═━一 &nbsp; ?<BR /><BR />If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.</P> Thu, 22 Jul 2021 05:09:03 GMT https://community.splunk.com/t5/Splunk-Search/Regex-help/m-p/560432#M159267 kamlesh_vaghela 2021-07-22T05:09:03Z https://community.splunk.com/t5/Splunk-Search/Regex-help/m-p/560509#M159291 <P>No, this was regex was unable to extract the user field</P> Thu, 22 Jul 2021 18:12:10 GMT https://community.splunk.com/t5/Splunk-Search/Regex-help/m-p/560509#M159291 SS1 2021-07-22T18:12:10Z https://community.splunk.com/t5/Splunk-Search/Regex-help/m-p/560567#M159314 <P>Hi&nbsp;&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225125">@SS1</a>,</P><P>the solution of&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/127939">@kamlesh_vaghela</a>&nbsp; is running on my Splunk.</P><P>Eventually, you could try something near:</P><LI-CODE lang="markup">| rex field=source "C:\\\\Stats\\\\(?&lt;user&gt;[^\\\]+)\\\\"</LI-CODE><P>to test in this way:</P><LI-CODE lang="markup">| makeresults | eval _raw="_raw source = C:\Stats\user1\Tmpdata\Mappers\Consolesx\start.log source = C:\Stats\user2\Tmpdata\Mappers\Consolesx\start.log source = C:\Stats\user3\Tmpdata\Mappers\Consolesx\start.log source = C:\Stats\user4\Tmpdata\Mappers\Consolesx\start.log" | multikv forceheader=1| extract | rex field=source "C:\\\\Stats\\\\(?&lt;user&gt;[^\\\]+)\\\\" | table source user</LI-CODE><P>Ciao.</P><P>Giuseppe</P> Fri, 23 Jul 2021 06:20:07 GMT https://community.splunk.com/t5/Splunk-Search/Regex-help/m-p/560567#M159314 gcusello 2021-07-23T06:20:07Z https://community.splunk.com/t5/Splunk-Search/Regex-help/m-p/560718#M159371 <P>Yes, this working now. Thanks&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/127939">@kamlesh_vaghela</a>&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/161352">@gcusello</a>&nbsp;</P> Sun, 25 Jul 2021 21:57:03 GMT https://community.splunk.com/t5/Splunk-Search/Regex-help/m-p/560718#M159371 SS1 2021-07-25T21:57:03Z