https://community.splunk.com/t5/Splunk-Search/Rex-and-Regex-Field-Extraction/m-p/76497#M19351 <P>Thank you for your prompt response. I've copied and pasted what you've wrote, but the extracted fields bxmt and brcv do not show up under the selected fields nor interesting fields, so seemingly they have not been extracted. Is there something I'm missing or do I just pipe the additional statements (eval and timechart)?</P> Wed, 27 Mar 2013 19:15:14 GMT mistertj3 2013-03-27T19:15:14Z https://community.splunk.com/t5/Splunk-Search/Rex-and-Regex-Field-Extraction/m-p/76495#M19349 <P>Hello all,</P> <P>I am trying to extract fields (tried the dynamic extraction and manual using rex&amp;regex) but am unable to get it just right. My data looks like the following:</P> <P>Apr 30 00:48:25 "ip_address" Apr 30 2012 00:48:25: %ASA-4-113019: Group = "Group", <BR /> Username = "User", IP = "ip_address", <BR /> Session disconnected. Session Type: SSL, Duration: 1h:59m:24s, Bytes xmt: 86659734, <BR /> Bytes rcv: 4557700, Reason: User Requested</P> <P>I would like to extract the Bytes xmt and Bytes rcv to separate fields (on search time). Then I would like pipe to an eval statement that adds them then another pipe to the timechart. </P> <P>I have tried a lot of regex and rex combinations using this site <A href="http://www.regular-expressions.info/reference.html" target="_blank">regular expression reference</A> as a ref . But I've only gotten as far as rex field=_raw "Bytes xmt: (?<BYTES transferred="">.,)" , which only gives the first decimal?</BYTES></P> <P>I am probably doing this entirely wrong as this is my first expression so any help you can give would be great!</P> <P>Thank you,</P> Mon, 28 Sep 2020 13:37:46 GMT https://community.splunk.com/t5/Splunk-Search/Rex-and-Regex-Field-Extraction/m-p/76495#M19349 mistertj3 2020-09-28T13:37:46Z https://community.splunk.com/t5/Splunk-Search/Rex-and-Regex-Field-Extraction/m-p/76496#M19350 <P>How about</P> <P><CODE><BR /> rex field=_raw ".*Bytes xmt: (?&lt;bxmt&gt;\d+), Bytes rcv: (?&lt;brcv&gt;\d+),.*"<BR /> <CODE></CODE></CODE></P> Wed, 27 Mar 2013 18:42:51 GMT https://community.splunk.com/t5/Splunk-Search/Rex-and-Regex-Field-Extraction/m-p/76496#M19350 lain179 2013-03-27T18:42:51Z https://community.splunk.com/t5/Splunk-Search/Rex-and-Regex-Field-Extraction/m-p/76497#M19351 <P>Thank you for your prompt response. I've copied and pasted what you've wrote, but the extracted fields bxmt and brcv do not show up under the selected fields nor interesting fields, so seemingly they have not been extracted. Is there something I'm missing or do I just pipe the additional statements (eval and timechart)?</P> Wed, 27 Mar 2013 19:15:14 GMT https://community.splunk.com/t5/Splunk-Search/Rex-and-Regex-Field-Extraction/m-p/76497#M19351 mistertj3 2013-03-27T19:15:14Z https://community.splunk.com/t5/Splunk-Search/Rex-and-Regex-Field-Extraction/m-p/76498#M19352 <P>There should be backslashes in front of the d+ characters. The comment forum doesn't always post them properly.</P> Wed, 27 Mar 2013 19:39:32 GMT https://community.splunk.com/t5/Splunk-Search/Rex-and-Regex-Field-Extraction/m-p/76498#M19352 cphair 2013-03-27T19:39:32Z https://community.splunk.com/t5/Splunk-Search/Rex-and-Regex-Field-Extraction/m-p/76499#M19353 <P>Edited to show the backslashes.</P> Wed, 27 Mar 2013 20:25:14 GMT https://community.splunk.com/t5/Splunk-Search/Rex-and-Regex-Field-Extraction/m-p/76499#M19353 sowings 2013-03-27T20:25:14Z https://community.splunk.com/t5/Splunk-Search/Rex-and-Regex-Field-Extraction/m-p/76500#M19354 <P>Got it and now have a better understanding of rex&amp;regex. Thank you for all of your help and prompt responses!</P> Sat, 30 Mar 2013 17:58:43 GMT https://community.splunk.com/t5/Splunk-Search/Rex-and-Regex-Field-Extraction/m-p/76500#M19354 mistertj3 2013-03-30T17:58:43Z