https://community.splunk.com/t5/Splunk-Search/Regex-expression-to-extract-fields/m-p/572751#M199625 <P>I was able to get this to work by changing w to S like this:</P><P>Target\s+(?&lt;Target&gt;\S+)</P><P>Thanks again for the help</P><P>&nbsp;</P> Wed, 27 Oct 2021 21:28:15 GMT cgbsplunk 2021-10-27T21:28:15Z https://community.splunk.com/t5/Splunk-Search/Regex-expression-to-extract-fields/m-p/572722#M199618 <P>I have two fields below that show up in our log files.&nbsp; I used Splunk tool to create the Regex to extract the fields and at first I thought it worked until we had fields with different values that didn't extract.&nbsp; Is there a simple Regex I can use to extract ObjectType and Domain Controller fields in example below?&nbsp; Values should never have space so we can end value after first space.</P><P>ObjectType User</P><P>Domain Controller TSTETCDRS001</P> Wed, 27 Oct 2021 17:59:54 GMT https://community.splunk.com/t5/Splunk-Search/Regex-expression-to-extract-fields/m-p/572722#M199618 cgbsplunk 2021-10-27T17:59:54Z https://community.splunk.com/t5/Splunk-Search/Regex-expression-to-extract-fields/m-p/572730#M199619 <P>Show us a sample of your full events.</P> Wed, 27 Oct 2021 19:19:17 GMT https://community.splunk.com/t5/Splunk-Search/Regex-expression-to-extract-fields/m-p/572730#M199619 PickleRick 2021-10-27T19:19:17Z https://community.splunk.com/t5/Splunk-Search/Regex-expression-to-extract-fields/m-p/572735#M199620 <P>These are coming from windows event logs.&nbsp; Some of the fields are in name value pairs and extract on their own but last 4 fields are the ones I need expressions for.&nbsp; Here is example of entire message:</P><P>10/27/2021 02:39:17 PM<BR />LogName=Application<BR />EventCode=16117<BR />EventType=0<BR />ComputerName=XXXXXXXXX002.xxxx.com<BR />User=NOT_TRANSLATED<BR />Sid=S-1-5-21-114000000-41296648-3127784425-637889<BR />SidType=0<BR />SourceName=AdminSvc<BR />Type=Information<BR />RecordNumber=1502524<BR />Keywords=Audit Success, Classic<BR />TaskCategory=SetInfo<BR />OpCode=None<BR />Message=Action SetInfo<BR />ObjectType Computer<BR />AssistantAdmin xxxx\xxxxx<BR />Target xxxxx\xxxx-xxxx$<BR />Domain Controller xxxxxx06<BR />AccountDisabled</P> Wed, 27 Oct 2021 19:46:38 GMT https://community.splunk.com/t5/Splunk-Search/Regex-expression-to-extract-fields/m-p/572735#M199620 cgbsplunk 2021-10-27T19:46:38Z https://community.splunk.com/t5/Splunk-Search/Regex-expression-to-extract-fields/m-p/572738#M199621 <P>And simple</P><PRE>Object\s+Type\s+(?&lt;Object Type&gt;\w+)</PRE><P>Doesn't work?</P><P>Same for the other one</P><PRE>Domain\s+Controller\s+(?&lt;Domain Controller&gt;\w+)</PRE><P>Check your regexes on <A href="https://regex101.com" target="_blank">https://regex101.com</A></P> Wed, 27 Oct 2021 19:51:45 GMT https://community.splunk.com/t5/Splunk-Search/Regex-expression-to-extract-fields/m-p/572738#M199621 PickleRick 2021-10-27T19:51:45Z https://community.splunk.com/t5/Splunk-Search/Regex-expression-to-extract-fields/m-p/572748#M199624 <P>Really appreciate the help.&nbsp; That worked for those 2.&nbsp; I also need one for Target.&nbsp; I tried this:</P><P>Target\s+(?&lt;Target&gt;\w+)</P><P>But with a value of this:</P><P>Target ABCDE\test.user</P><P>I only get the ABCDE.&nbsp; How do I change the expression to get the entire ABCDE\test.user</P><P>&nbsp;</P> Wed, 27 Oct 2021 21:08:26 GMT https://community.splunk.com/t5/Splunk-Search/Regex-expression-to-extract-fields/m-p/572748#M199624 cgbsplunk 2021-10-27T21:08:26Z https://community.splunk.com/t5/Splunk-Search/Regex-expression-to-extract-fields/m-p/572751#M199625 <P>I was able to get this to work by changing w to S like this:</P><P>Target\s+(?&lt;Target&gt;\S+)</P><P>Thanks again for the help</P><P>&nbsp;</P> Wed, 27 Oct 2021 21:28:15 GMT https://community.splunk.com/t5/Splunk-Search/Regex-expression-to-extract-fields/m-p/572751#M199625 cgbsplunk 2021-10-27T21:28:15Z