https://community.splunk.com/t5/Splunk-Search/rex-field-extraction/m-p/572928#M199676 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/240256">@André</a>,</P><P>good for you, see next time!</P><P>Ciao and happy splunking.</P><P>Giuseppe</P><P>P.S.: Karma Points are appreciated <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Fri, 29 Oct 2021 09:23:46 GMT gcusello 2021-10-29T09:23:46Z https://community.splunk.com/t5/Splunk-Search/rex-field-extraction/m-p/572923#M199673 <P>Hi,</P><P>I want to extract the following term from this message:</P><P>&nbsp;</P><P>(MaRSEPbac, [MaRSEPbac_Old2], [MaRSEPbac])</P><P>that means the string between ()..</P><P><U>message:</U><BR />16:21:32.843 &#27;[35m[gcp-pubsub-subscriber1]&#27;[0;39m &#27;[34mINFO &#27;[0;39m zbank.harissa.cockpit.InboundGateway - update: [export_service] context:RDB <STRONG>(MaRSEPbac, [MaRSEPbac_Old2], [MaRSEPbac])</STRONG> progress:3/3 status:successful msg:exporting rrid: [8d9a85b8-0d34-4dea-8901-17520b4b9b9d] rrid:f50a0cce-af13-4e64-88aa-84de045380ca</P><P>How does it goes?</P><P>Thanks!</P> Fri, 29 Oct 2021 09:09:35 GMT https://community.splunk.com/t5/Splunk-Search/rex-field-extraction/m-p/572923#M199673 André 2021-10-29T09:09:35Z https://community.splunk.com/t5/Splunk-Search/rex-field-extraction/m-p/572924#M199674 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/240256">@André</a>,</P><P>can you confirm that in your logs there's always the string "context:"?</P><P>if yes, you could use this regex:</P><LI-CODE lang="markup">| rex "context:\w+\s\((?&lt;your_field&gt;[^\)]+)"</LI-CODE><P>that you can test at&nbsp;<A href="https://regex101.com/r/irfJhy/1" target="_blank">https://regex101.com/r/irfJhy/1</A></P><P>If the above condition isn't present, please share a fixed point in your logs.</P><P>Ciao.</P><P>Giuseppe</P> Fri, 29 Oct 2021 09:16:23 GMT https://community.splunk.com/t5/Splunk-Search/rex-field-extraction/m-p/572924#M199674 gcusello 2021-10-29T09:16:23Z https://community.splunk.com/t5/Splunk-Search/rex-field-extraction/m-p/572927#M199675 <P>&nbsp;</P><P>Thanks Giuseppe, it works:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Andr_1-1635499157449.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/16663iAD44E04E1972664F/image-size/medium?v=v2&amp;px=400" role="button" title="Andr_1-1635499157449.png" alt="Andr_1-1635499157449.png" /></span></P><P>Thanks for link!</P> Fri, 29 Oct 2021 09:20:12 GMT https://community.splunk.com/t5/Splunk-Search/rex-field-extraction/m-p/572927#M199675 André 2021-10-29T09:20:12Z https://community.splunk.com/t5/Splunk-Search/rex-field-extraction/m-p/572928#M199676 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/240256">@André</a>,</P><P>good for you, see next time!</P><P>Ciao and happy splunking.</P><P>Giuseppe</P><P>P.S.: Karma Points are appreciated <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Fri, 29 Oct 2021 09:23:46 GMT https://community.splunk.com/t5/Splunk-Search/rex-field-extraction/m-p/572928#M199676 gcusello 2021-10-29T09:23:46Z