https://community.splunk.com/t5/Splunk-Search/creating-a-new-field-using-Regex/m-p/378140#M169767 <P>same position yes but not same letter, this is another example " cpe:/a:microsoft:malicious_software_removal_tool" so I'm looking for a way to distinguish between cpe:/o and cpe:/a</P> Tue, 29 Sep 2020 19:23:22 GMT mr_t2083 2020-09-29T19:23:22Z https://community.splunk.com/t5/Splunk-Search/creating-a-new-field-using-Regex/m-p/378136#M169763 <P>how do you create a field using regex with the following example below<BR /> for example </P> <P>exsamplefield=cpe:/o:microsoft:windows</P> <P>I would like to extract microsoft from the above field?</P> <P>What would be proper regex used to extract this?</P> Mon, 30 Apr 2018 20:53:41 GMT https://community.splunk.com/t5/Splunk-Search/creating-a-new-field-using-Regex/m-p/378136#M169763 mr_t2083 2018-04-30T20:53:41Z https://community.splunk.com/t5/Splunk-Search/creating-a-new-field-using-Regex/m-p/378137#M169764 <P>To build a proper regex, you need to describe your data properly, it has to have some reliable characteristics.<BR /> With your example above, multiple characteristics are possible, but without further example data it's hard to find those similarities.</P> <P>This is an example: <CODE>^[^:]+:[^:]+:(?&lt;yourfield&gt;[^:]+:)</CODE><BR /> This one would assume that there is always to parts in that field, seperated by <CODE>:</CODE>, and the value you want to extract is between the second and third <CODE>:</CODE>. If that's true - here's your regex <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Mon, 30 Apr 2018 20:57:11 GMT https://community.splunk.com/t5/Splunk-Search/creating-a-new-field-using-Regex/m-p/378137#M169764 xpac 2018-04-30T20:57:11Z https://community.splunk.com/t5/Splunk-Search/creating-a-new-field-using-Regex/m-p/378138#M169765 <P>Hi mr_t2083</P> <P>Please use this REX,</P> <P>am uploading pic as this page will try to remove some characters from REX if directly posted.<BR /> <span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/4893i58D653EE879F0EB7/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <P>&amp; if you want to apply Rex to field itself, refer to this second pic</P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/4894i6EE75C29A8ED04B9/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <P>Thanks</P> Mon, 30 Apr 2018 21:30:32 GMT https://community.splunk.com/t5/Splunk-Search/creating-a-new-field-using-Regex/m-p/378138#M169765 PowerPacked 2018-04-30T21:30:32Z https://community.splunk.com/t5/Splunk-Search/creating-a-new-field-using-Regex/m-p/378139#M169766 <P>Will it always be in same position?</P> Mon, 30 Apr 2018 21:35:12 GMT https://community.splunk.com/t5/Splunk-Search/creating-a-new-field-using-Regex/m-p/378139#M169766 somesoni2 2018-04-30T21:35:12Z https://community.splunk.com/t5/Splunk-Search/creating-a-new-field-using-Regex/m-p/378140#M169767 <P>same position yes but not same letter, this is another example " cpe:/a:microsoft:malicious_software_removal_tool" so I'm looking for a way to distinguish between cpe:/o and cpe:/a</P> Tue, 29 Sep 2020 19:23:22 GMT https://community.splunk.com/t5/Splunk-Search/creating-a-new-field-using-Regex/m-p/378140#M169767 mr_t2083 2020-09-29T19:23:22Z https://community.splunk.com/t5/Splunk-Search/creating-a-new-field-using-Regex/m-p/378141#M169768 <P>Have you tried any of solution below? They both should work for you. If you want little more specific regex based on your data, you can try this <CODE>cpe\:\/(o|a)\:(?&lt;YourFieldName&gt;[^\:]+)</CODE>. (Basically look for either cpe:/a: or cpe:/o: and capture everything after that till next colon)</P> Tue, 01 May 2018 14:16:06 GMT https://community.splunk.com/t5/Splunk-Search/creating-a-new-field-using-Regex/m-p/378141#M169768 somesoni2 2018-05-01T14:16:06Z https://community.splunk.com/t5/Splunk-Search/creating-a-new-field-using-Regex/m-p/378142#M169769 <P>Like this:</P> <PRE><CODE>... | rex field=exsamplefield="^(?:[^:]*:){2}(?&lt;YourNameHere&gt;[^:]+)" </CODE></PRE> Tue, 01 May 2018 14:50:07 GMT https://community.splunk.com/t5/Splunk-Search/creating-a-new-field-using-Regex/m-p/378142#M169769 woodcock 2018-05-01T14:50:07Z https://community.splunk.com/t5/Splunk-Search/creating-a-new-field-using-Regex/m-p/378143#M169770 <P>cpe:\/(a|o):(?\w+):.*</P> <P>microsoft will be captured in the named group </P> <P>For testing, try <A href="http://www.regex101.com">www.regex101.com</A></P> Tue, 01 May 2018 15:19:22 GMT https://community.splunk.com/t5/Splunk-Search/creating-a-new-field-using-Regex/m-p/378143#M169770 macadminrohit 2018-05-01T15:19:22Z https://community.splunk.com/t5/Splunk-Search/creating-a-new-field-using-Regex/m-p/378144#M169771 <PRE><CODE>cpe:\/(a|o):(?&lt;fieldname&gt;\w+):.* </CODE></PRE> Tue, 01 May 2018 15:19:42 GMT https://community.splunk.com/t5/Splunk-Search/creating-a-new-field-using-Regex/m-p/378144#M169771 macadminrohit 2018-05-01T15:19:42Z