https://community.splunk.com/t5/Splunk-Search/Field-extraction/m-p/342523#M164292 <P>Great!<BR /> Thanks @niketnilay. this worked and thank you so much for helping me out.</P> Sun, 17 Dec 2017 13:48:26 GMT Deepz2612 2017-12-17T13:48:26Z https://community.splunk.com/t5/Splunk-Search/Field-extraction/m-p/342519#M164288 <P>Hi ,</P> <P>For logs such as below please help me in extracting the data enclosed within double quotes.</P> <PRE><CODE>Contact Dealership Name="Amery",Role= "IT_Deal" Contact Dealership Name="US",Role= "IT_Deal" Contact Dealership Name="J. Nuckolls, Inc. dba Fenton Auto Sales",Role= "IT_DEAN" </CODE></PRE> <P>I tried using rex field=_raw "Contact Dealership Name=\"(?[^,]+)\""<BR /> But the results are as below :</P> <PRE><CODE>Dealership_Name Amery US </CODE></PRE> <P>but <STRONG>J. Nuckolls, Inc. dba Fenton Auto Sales</STRONG> is not included in the result.<BR /> how the rex_field has to be modified to capture that also</P> Sat, 16 Dec 2017 16:10:11 GMT https://community.splunk.com/t5/Splunk-Search/Field-extraction/m-p/342519#M164288 Deepz2612 2017-12-16T16:10:11Z https://community.splunk.com/t5/Splunk-Search/Field-extraction/m-p/342520#M164289 <P>Try the following regex:</P> <P>Contact Dealership Name=\"(.+?)\"</P> Sat, 16 Dec 2017 16:29:00 GMT https://community.splunk.com/t5/Splunk-Search/Field-extraction/m-p/342520#M164289 ifotopoulos 2017-12-16T16:29:00Z https://community.splunk.com/t5/Splunk-Search/Field-extraction/m-p/342521#M164290 <P>Hey @Deepz2612</P> <P>Try this, you will be able to extract dealership name and role in one regex</P> <PRE><CODE>| rex field=_raw “Contact\sDealership\sName=(\"|\s)(?P&lt;ContactDealershipName&gt;[^\"]+)\",Role=(\s|)\"(?P&lt;Role&gt;[^\"]+)” </CODE></PRE> <P>Let me know if this works!</P> Sat, 16 Dec 2017 18:09:21 GMT https://community.splunk.com/t5/Splunk-Search/Field-extraction/m-p/342521#M164290 mayurr98 2017-12-16T18:09:21Z https://community.splunk.com/t5/Splunk-Search/Field-extraction/m-p/342522#M164291 <P>@mayurr98, <CODE>max_match=0</CODE> needs to be added in case this is a single event. Contact Dealership Name does not have space after equal to sign and before double quotes. However Role has a space before double quotes. So, the following regex should also work.</P> <P>You have special character double quotes in the code above for regular expression convert to simple double quotes <CODE>"</CODE></P> <P>@Deepz2612, following is the run anywhere search based on your sample data:</P> <PRE><CODE>| makeresults | eval _raw="Contact Dealership Name=\"Amery\",Role= \"IT_Deal\" Contact Dealership Name=\"US\",Role= \"IT_Deal\" Contact Dealership Name=\"J. Nuckolls, Inc. dba Fenton Auto Sales\",Role= \"IT_DEAN\" " | rex "Contact\sDealership\sName=\"(?&lt;contact_dealership_name&gt;[^\"]+)\",Role=\s\"(?&lt;role&gt;[^\"]+)\"" max_match=0 </CODE></PRE> Sat, 16 Dec 2017 18:38:50 GMT https://community.splunk.com/t5/Splunk-Search/Field-extraction/m-p/342522#M164291 niketn 2017-12-16T18:38:50Z https://community.splunk.com/t5/Splunk-Search/Field-extraction/m-p/342523#M164292 <P>Great!<BR /> Thanks @niketnilay. this worked and thank you so much for helping me out.</P> Sun, 17 Dec 2017 13:48:26 GMT https://community.splunk.com/t5/Splunk-Search/Field-extraction/m-p/342523#M164292 Deepz2612 2017-12-17T13:48:26Z