https://community.splunk.com/t5/Splunk-Search/Extraction-not-working-as-expected/m-p/571630#M199197 <P>Your regex won't work for events which have commas in the values since every comma is treated as a field separator.</P><P>You could try delimiter-based parsing. But if you really want a regex, you have to account for exceptions.</P><P>You can try, for example, something like:</P><LI-CODE lang="markup">(?:([^",]+|"[^"]*"),){19}"(?&lt;instance&gt;[^"]+)",.*</LI-CODE><P>Of course it's a raw regex, if you want to put it as a string into a command, you have to escape the quotation marks.</P> Wed, 20 Oct 2021 10:47:01 GMT PickleRick 2021-10-20T10:47:01Z https://community.splunk.com/t5/Splunk-Search/Extraction-not-working-as-expected/m-p/571595#M199176 <P>Hello team,</P><P>&nbsp;</P><P>I am trying to extract the below highlighted fields. However when I use the expression this is working right on one type of event but picking a different(underlined) field from other event. Please let me know what wrong I am doing here.</P><P>&nbsp;</P><P>(?:[^,]+,){19}\"(?&lt;instance&gt;[^,]+)\",.*<BR /><BR />Below is the event which is getting extracted as expected.</P><P>50271232,00004102,00000000,1600,"20210901225500","20210901225500",4,-1,-1,"SYSTEM","","psd217",46769357,"MS932","KAVS0260-I \x83W\x83\x87\x83u\x83l\x83b\x83g(AJSROOT1:/\x90V\x8A_\x96{\x94ԏ\x88\x97\x9D/\x92l\x8ED\x94\xAD\x8Ds/04_\x92l\x8ED\x8Ew\x8E\xA6\x83f\x81[\x83^\x98A\x8Cg_\x8CߑO1TAX:@5V689)\x82\xF0\x8AJ\x8En\x82\xB5\x82܂\xB7","Information","jp1admin","/APP/ABC/AJS2","JOBNET","<STRONG>Server2:/\x90V\x8A_\x96{\x94ԏ\x88\x97\x9D/\x92l\x8ED\x94\xAD\x8Ds/04_\x92l\x8ED\x8Ew\x8E\xA6\x83f\x81[\x83^\x98A\x8Cg_\x8CߑO1TAX</STRONG>","JOBNET","AJSROOT1:/\x90V\x8A_\x96{\x94ԏ\x88\x97\x9D/\x92l\x8ED\x94\xAD\x8Ds/04_\x92l\x8ED\x8Ew\x8E\xA6\x83f\x81[\x83^\x98A\x8Cg_\x8CߑO1TAX","AJSROOT1:/\x90V\x8A_\x96{\x94ԏ\x</P><P>&nbsp;</P><P>&nbsp;</P><P>Below highlighted is what I need to extract but the underlined is getting extracted.<BR />50271228,00004105,00000000,3088,"20210901225446","20210901225446",4,-1,-1,"SYSTEM","","psd240",316413752,"MS932","KAVS0263-I \x83W\x83\x87\x83u(AJSROOT1:/\x90V\x8A_\x96{\x94ԏ\x88\x97\x9D/MCS/\x8AĎ\x8B/09_\x92\x8D\x95\xB6\x91\x97\x90M\x96\xA2\x8DX\x90V\x8D\x80\x96ڃ`\x83F\x83b\x83N/HULFT\x91\x97\x90M\x8C㎞\x8Aԑҋ@1MIN:@50R6189)\x82\xF0\x8AJ\x8En\x82\xB5\x82܂\xB7(host: PSD511, JOBID: 0)","Information","jp1admin","/App/ABC/AJS2","<STRONG><U>JOB</U></STRONG>","<STRONG>Server1:/\x90V\x8A_\x96{\x94ԏ\x88\x97\x9D/MCS/\x8AĎ\x8B/09_\x92\x8D\x95\xB6\x91\x97\x90M\x96\xA2\x8DX\x90V\x8D\x80\x96ڃ`\x83F\x83b\x83N/HULFT\x91\x97\x90M\x8C㎞\x8Aԑҋ@1MIN</STRONG>","JOBNET","AJSROOT1:/\x90V\x8A_\x96{\x94ԏ\x88\x97\x9D/MCS/\x8AĎ\x8B/09_\x92\x8D\x95\xB6\x91\x97\x90M\x96\xA2\x8DX\x90V\x8D\x80\x96ڃ`\x83F\x83b\x83N","AJSROOT1:/\x90V\x8A_\x96{\x94ԏ\x88\x97\x9D/MCS/\x8AĎ\x8B/09_\x92\x8D\x95\xB6\x91\x97\x90M\x96\xA2\x8DX\x90V\x8D\x80\x96ڃ`\x83F\x83b\x83N/HULFT\</P> Wed, 20 Oct 2021 07:16:48 GMT https://community.splunk.com/t5/Splunk-Search/Extraction-not-working-as-expected/m-p/571595#M199176 srinivas_gowda 2021-10-20T07:16:48Z https://community.splunk.com/t5/Splunk-Search/Extraction-not-working-as-expected/m-p/571630#M199197 <P>Your regex won't work for events which have commas in the values since every comma is treated as a field separator.</P><P>You could try delimiter-based parsing. But if you really want a regex, you have to account for exceptions.</P><P>You can try, for example, something like:</P><LI-CODE lang="markup">(?:([^",]+|"[^"]*"),){19}"(?&lt;instance&gt;[^"]+)",.*</LI-CODE><P>Of course it's a raw regex, if you want to put it as a string into a command, you have to escape the quotation marks.</P> Wed, 20 Oct 2021 10:47:01 GMT https://community.splunk.com/t5/Splunk-Search/Extraction-not-working-as-expected/m-p/571630#M199197 PickleRick 2021-10-20T10:47:01Z