https://community.splunk.com/t5/Splunk-Search/Generated-pattern-regex/m-p/69741#M17476 <P>Now I changed it, so the inner caption group is named as well, even if it is not needed on my test instance (5.0.1). </P> <P>kailun, which splunk version do you use?</P> Thu, 20 Jun 2013 09:29:37 GMT peter_krammer 2013-06-20T09:29:37Z https://community.splunk.com/t5/Splunk-Search/Generated-pattern-regex/m-p/69737#M17472 <P>I need to extract both of the words, is there anyone that knows how ? I have used this <BR /> <CODE>(?i)summary : (?P&lt;FIELDNAME&gt;[\w\.]+)</CODE><BR /> but it extracts only the word Mostly.</P> <P>summary : Mostly Cloudy</P> Thu, 20 Jun 2013 08:21:38 GMT https://community.splunk.com/t5/Splunk-Search/Generated-pattern-regex/m-p/69737#M17472 kailun92 2013-06-20T08:21:38Z https://community.splunk.com/t5/Splunk-Search/Generated-pattern-regex/m-p/69738#M17473 <PRE><CODE>(?&lt;field_name&gt;\S+)\s+:\s+(?&lt;field_value&gt;.+) </CODE></PRE> <P>Be careful about the cases of 's', because '\s' has a different meaning than '\S'.</P> Thu, 20 Jun 2013 08:39:24 GMT https://community.splunk.com/t5/Splunk-Search/Generated-pattern-regex/m-p/69738#M17473 peter_krammer 2013-06-20T08:39:24Z https://community.splunk.com/t5/Splunk-Search/Generated-pattern-regex/m-p/69739#M17474 <P>The questionmark in the inner caption group was producing a problem, I edited my answer to my tested solution.</P> Thu, 20 Jun 2013 09:06:33 GMT https://community.splunk.com/t5/Splunk-Search/Generated-pattern-regex/m-p/69739#M17474 peter_krammer 2013-06-20T09:06:33Z https://community.splunk.com/t5/Splunk-Search/Generated-pattern-regex/m-p/69740#M17475 <P>Invalid regex: no named extraction at position 27 (i.e., "&gt;([\w.]+..."). Expected "(?P<VARIABLE>pattern)"</VARIABLE></P> Thu, 20 Jun 2013 09:07:25 GMT https://community.splunk.com/t5/Splunk-Search/Generated-pattern-regex/m-p/69740#M17475 kailun92 2013-06-20T09:07:25Z https://community.splunk.com/t5/Splunk-Search/Generated-pattern-regex/m-p/69741#M17476 <P>Now I changed it, so the inner caption group is named as well, even if it is not needed on my test instance (5.0.1). </P> <P>kailun, which splunk version do you use?</P> Thu, 20 Jun 2013 09:29:37 GMT https://community.splunk.com/t5/Splunk-Search/Generated-pattern-regex/m-p/69741#M17476 peter_krammer 2013-06-20T09:29:37Z https://community.splunk.com/t5/Splunk-Search/Generated-pattern-regex/m-p/69742#M17477 <P>I am using 5.0.2. Btw it worked but my data is inputed this way(below), it extracts this</P> <P>FIELDNAME<BR /> Mostly Cloudy<BR /> temperature <BR /> Foggy<BR /> temperature <BR /> lastword<BR /> temperature </P> <P>(Splunk reads my data every 5 minutes)<BR /> time : 1371715104<BR /> visibility : 0.67<BR /> windBearing : 260<BR /> windSpeed : 9.41<BR /> psiAverage : 182<BR /> cloudCover : 0.61<BR /> dewPoint : 65.58<BR /> humidity : 0.39<BR /> icon : fog<BR /> ozone : 267.04<BR /> precipIntensity : 0<BR /> pressure : 1005.64<BR /> summary : Foggy<BR /> temperature : 94.49</P> Thu, 20 Jun 2013 09:49:49 GMT https://community.splunk.com/t5/Splunk-Search/Generated-pattern-regex/m-p/69742#M17477 kailun92 2013-06-20T09:49:49Z https://community.splunk.com/t5/Splunk-Search/Generated-pattern-regex/m-p/69743#M17478 <P>Well thats quite a different usecase, thanI would have guessed from your initial question. I updated my answer to extract the field_name ("summary") and the field_value ("Mostly Cloudy") seperatly. </P> <P>But maybe you also want to take a look at handling multiline events.</P> Mon, 28 Sep 2020 14:08:20 GMT https://community.splunk.com/t5/Splunk-Search/Generated-pattern-regex/m-p/69743#M17478 peter_krammer 2020-09-28T14:08:20Z https://community.splunk.com/t5/Splunk-Search/Generated-pattern-regex/m-p/69744#M17479 <P>see my comments down, I cannot post codes in here.</P> Thu, 20 Jun 2013 10:26:29 GMT https://community.splunk.com/t5/Splunk-Search/Generated-pattern-regex/m-p/69744#M17479 kailun92 2013-06-20T10:26:29Z https://community.splunk.com/t5/Splunk-Search/Generated-pattern-regex/m-p/69745#M17480 <P>I tried this expression and it work. Btw thanks for your help ! <span class="lia-unicode-emoji" title=":grinning_face_with_big_eyes:">😃</span></P> <P>(?i)Summary : (?P<CURRENT_SUMMARY>.+)\n</CURRENT_SUMMARY></P> Sat, 22 Jun 2013 07:00:29 GMT https://community.splunk.com/t5/Splunk-Search/Generated-pattern-regex/m-p/69745#M17480 kailun92 2013-06-22T07:00:29Z