https://community.splunk.com/t5/Splunk-Search/Formatting-Log-Name-with-Regex/m-p/210502#M187834 <P>Try this</P> <PRE><CODE>... | rex field=_raw "_\w+_(?&lt;parameterName&gt;\w+)\." | table parameterName </CODE></PRE> Wed, 03 Aug 2016 14:46:13 GMT sundareshr 2016-08-03T14:46:13Z https://community.splunk.com/t5/Splunk-Search/Formatting-Log-Name-with-Regex/m-p/210501#M187833 <P>Hello. I am currently trying to do something with a list of logs that I have been given.</P> <P>All of the logs have the same format:</P> <P>/this/is/.../an_example_relevantInformationHere.2016-08-03.log</P> <P>What I want to do is to use regex to search through the strings and to find the part that says relevantInformationHere and create a table with that as the header. Right now my rex looks like:</P> <P>..|rex "an_example_(?\w+)."| table parameterName</P> <P>It looks like it worked in the regex testers that I used, but I am not receiving the expected output in splunk. What am I doing wrong and is there a difference between the splunk regex and the regex on another site?</P> <P>Thank you.</P> Tue, 29 Sep 2020 10:30:40 GMT https://community.splunk.com/t5/Splunk-Search/Formatting-Log-Name-with-Regex/m-p/210501#M187833 JibBgh 2020-09-29T10:30:40Z https://community.splunk.com/t5/Splunk-Search/Formatting-Log-Name-with-Regex/m-p/210502#M187834 <P>Try this</P> <PRE><CODE>... | rex field=_raw "_\w+_(?&lt;parameterName&gt;\w+)\." | table parameterName </CODE></PRE> Wed, 03 Aug 2016 14:46:13 GMT https://community.splunk.com/t5/Splunk-Search/Formatting-Log-Name-with-Regex/m-p/210502#M187834 sundareshr 2016-08-03T14:46:13Z https://community.splunk.com/t5/Splunk-Search/Formatting-Log-Name-with-Regex/m-p/210503#M187835 <P>When I tried that, it ended up putting the raw string parameterName instead of the actual value it should be.</P> Wed, 03 Aug 2016 14:58:46 GMT https://community.splunk.com/t5/Splunk-Search/Formatting-Log-Name-with-Regex/m-p/210503#M187835 JibBgh 2016-08-03T14:58:46Z https://community.splunk.com/t5/Splunk-Search/Formatting-Log-Name-with-Regex/m-p/210504#M187836 <P>I just test this run anywhere sample and it works. Can you test this and let me know the results</P> <PRE><CODE>| makeresults | eval x="/this/is/.../an_example_relevantInformationHere.2016-08-03.log" | rex field=x "_\w+_(?&lt;parameterName&gt;\w+)\." | table parameterName </CODE></PRE> Wed, 03 Aug 2016 15:42:44 GMT https://community.splunk.com/t5/Splunk-Search/Formatting-Log-Name-with-Regex/m-p/210504#M187836 sundareshr 2016-08-03T15:42:44Z https://community.splunk.com/t5/Splunk-Search/Formatting-Log-Name-with-Regex/m-p/210505#M187837 <P>Assuming you are talking about the source field give this a go:</P> <PRE><CODE>| rex field=source "(?&lt;parameterName&gt;[a-zA-Z]+)\.\d{4}-\d{2}-\d{2}\.\w+" </CODE></PRE> <P>Keep in mind you can play with the following bit [a-zA-Z]+ to accept whatever symbols you might expect in your relevant information section. Also remember \w+ includes underscores.</P> <P>Hope that helps</P> Wed, 03 Aug 2016 15:46:37 GMT https://community.splunk.com/t5/Splunk-Search/Formatting-Log-Name-with-Regex/m-p/210505#M187837 javiergn 2016-08-03T15:46:37Z https://community.splunk.com/t5/Splunk-Search/Formatting-Log-Name-with-Regex/m-p/210506#M187838 <P>That worked properly, however, will this work properly without hard coding the name?</P> Wed, 03 Aug 2016 18:30:08 GMT https://community.splunk.com/t5/Splunk-Search/Formatting-Log-Name-with-Regex/m-p/210506#M187838 JibBgh 2016-08-03T18:30:08Z https://community.splunk.com/t5/Splunk-Search/Formatting-Log-Name-with-Regex/m-p/210507#M187839 <P>Is the name of the file. As in the source? If it is, change the rex command to this and it should work</P> <PRE><CODE>rex field=source "_\w+_(?&lt;parameterName&gt;\w+)\." </CODE></PRE> Wed, 03 Aug 2016 18:38:22 GMT https://community.splunk.com/t5/Splunk-Search/Formatting-Log-Name-with-Regex/m-p/210507#M187839 sundareshr 2016-08-03T18:38:22Z