https://community.splunk.com/t5/Splunk-Search/Copy-and-then-parse-a-field/m-p/458583#M171255 <P>Hi a212830,</P> <P>see this answer <A href="https://answers.splunk.com/answers/319646/how-to-write-the-regex-to-extract-data-inside-squa.html">https://answers.splunk.com/answers/319646/how-to-write-the-regex-to-extract-data-inside-squa.html</A><BR /> but you will use this settings in transforms.conf :</P> <PRE><CODE>REGEX = \&gt;([^\&lt;]+)\&lt; FORMAT = MyNewFieldName::$1 </CODE></PRE> <P>This will create a new field called <CODE>MyNewFieldName</CODE> containing this value <CODE>these are some values</CODE>.</P> <P>Hope this helps ...</P> <P>cheers, MuS</P> Mon, 13 May 2019 20:37:28 GMT MuS 2019-05-13T20:37:28Z https://community.splunk.com/t5/Splunk-Search/Copy-and-then-parse-a-field/m-p/458582#M171254 <P>Hi,</P> <P>I have a field that already exists, and I want to parse it out into a new field, using props/transforms. The field is surrounded in brackets, so it's in this format: </P> <PRE><CODE>&lt;COMPID&gt; these are some values &lt;/COMPID&gt; </CODE></PRE> <P>The entired feed is bracket enclosed (but not xml). I've never done this before, and the regex is killing me as well. Can anyone help? </P> Mon, 13 May 2019 20:24:14 GMT https://community.splunk.com/t5/Splunk-Search/Copy-and-then-parse-a-field/m-p/458582#M171254 a212830 2019-05-13T20:24:14Z https://community.splunk.com/t5/Splunk-Search/Copy-and-then-parse-a-field/m-p/458583#M171255 <P>Hi a212830,</P> <P>see this answer <A href="https://answers.splunk.com/answers/319646/how-to-write-the-regex-to-extract-data-inside-squa.html">https://answers.splunk.com/answers/319646/how-to-write-the-regex-to-extract-data-inside-squa.html</A><BR /> but you will use this settings in transforms.conf :</P> <PRE><CODE>REGEX = \&gt;([^\&lt;]+)\&lt; FORMAT = MyNewFieldName::$1 </CODE></PRE> <P>This will create a new field called <CODE>MyNewFieldName</CODE> containing this value <CODE>these are some values</CODE>.</P> <P>Hope this helps ...</P> <P>cheers, MuS</P> Mon, 13 May 2019 20:37:28 GMT https://community.splunk.com/t5/Splunk-Search/Copy-and-then-parse-a-field/m-p/458583#M171255 MuS 2019-05-13T20:37:28Z https://community.splunk.com/t5/Splunk-Search/Copy-and-then-parse-a-field/m-p/458584#M171256 <P>Sorry, getting back to this... not sure this will work, as every field is bracket &lt;&gt; seperated. I need something that will extract the first string within the values. It contains multiple, white space seperated values. </P> <PRE><CODE>&lt;COMPID&gt;string1 string2 string3 string4&lt;/COMPID&gt; </CODE></PRE> Thu, 06 Jun 2019 15:11:51 GMT https://community.splunk.com/t5/Splunk-Search/Copy-and-then-parse-a-field/m-p/458584#M171256 a212830 2019-06-06T15:11:51Z https://community.splunk.com/t5/Splunk-Search/Copy-and-then-parse-a-field/m-p/458585#M171257 <P>Sure this will work, I just did not understood it correct <span class="lia-unicode-emoji" title=":winking_face:">😉</span> </P> <P>In this case try this regex:</P> <PRE><CODE>REGEX = \&gt;([^\s]+)\s </CODE></PRE> <P>this will get <CODE>string1</CODE> from your example as value of the <CODE>MyNewFieldName</CODE>.</P> <P>cheers, MuS</P> Thu, 06 Jun 2019 22:11:09 GMT https://community.splunk.com/t5/Splunk-Search/Copy-and-then-parse-a-field/m-p/458585#M171257 MuS 2019-06-06T22:11:09Z https://community.splunk.com/t5/Splunk-Search/Copy-and-then-parse-a-field/m-p/458586#M171258 <P>Hey @a212830, is this a duplicate post to your <A href="https://answers.splunk.com/answers/746434/help-with-props-and-transforms.html">Help with props and transforms</A>?</P> Mon, 01 Jul 2019 12:45:42 GMT https://community.splunk.com/t5/Splunk-Search/Copy-and-then-parse-a-field/m-p/458586#M171258 sloshburch 2019-07-01T12:45:42Z