https://community.splunk.com/t5/Splunk-Search/Extracting-words-in-a-string-with-regular-expressions/m-p/580812#M202344 <P>You can use rex max_match=0 to get multiple matches</P> Wed, 12 Jan 2022 16:05:20 GMT ITWhisperer 2022-01-12T16:05:20Z https://community.splunk.com/t5/Splunk-Search/Extracting-words-in-a-string-with-regular-expressions/m-p/580722#M202302 <P>Hi,</P><P>i need help to extract word from a string</P><P>&nbsp;</P><P>string</P><P>Security agent installation attempted Endpoint: (Not Found)<BR />Security agent intstallation attempted Endpoint: hostname</P><P>&nbsp;</P><P>result</P><P>Not Found</P><P>hostname</P><P>&nbsp;</P><P>how can i construct a regular expression to extract out what i wanted?</P><P>&nbsp;</P> Wed, 12 Jan 2022 06:54:46 GMT https://community.splunk.com/t5/Splunk-Search/Extracting-words-in-a-string-with-regular-expressions/m-p/580722#M202302 7ryota 2022-01-12T06:54:46Z https://community.splunk.com/t5/Splunk-Search/Extracting-words-in-a-string-with-regular-expressions/m-p/580724#M202303 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/242115">@7ryota</a>,</P><P>you could use two regexes like the following:</P><LI-CODE lang="markup">| rex ":\s+\(*(?&lt;result&gt;.+)" | rex field=result "^(?&lt;result&gt;[^)]+)"</LI-CODE><P>The first extract the full value and the second deletes the parenthesis when present.</P><P>Ciao.</P><P>Giuseppe</P> Wed, 12 Jan 2022 07:27:44 GMT https://community.splunk.com/t5/Splunk-Search/Extracting-words-in-a-string-with-regular-expressions/m-p/580724#M202303 gcusello 2022-01-12T07:27:44Z https://community.splunk.com/t5/Splunk-Search/Extracting-words-in-a-string-with-regular-expressions/m-p/580731#M202305 <P>not sure how to remove the ")" at the "Not Found)"</P><LI-CODE lang="markup">|makeresults | eval string="Security agent installation attempted Endpoint: (Not Found) Security agent intstallation attempted Endpoint: hostname" | rex field=string max_match=0 ":\s+\(?(?P&lt;result&gt;.+)" |table string result</LI-CODE><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="rex-string.png" style="width: 999px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/17532iD058287FD05710A2/image-size/large?v=v2&amp;px=999" role="button" title="rex-string.png" alt="rex-string.png" /></span></P> Wed, 12 Jan 2022 08:04:27 GMT https://community.splunk.com/t5/Splunk-Search/Extracting-words-in-a-string-with-regular-expressions/m-p/580731#M202305 inventsekar 2022-01-12T08:04:27Z https://community.splunk.com/t5/Splunk-Search/Extracting-words-in-a-string-with-regular-expressions/m-p/580736#M202308 <LI-CODE lang="markup">| rex ":\s+\(*(?&lt;result&gt;[^)]+)"</LI-CODE> Wed, 12 Jan 2022 08:38:00 GMT https://community.splunk.com/t5/Splunk-Search/Extracting-words-in-a-string-with-regular-expressions/m-p/580736#M202308 ITWhisperer 2022-01-12T08:38:00Z https://community.splunk.com/t5/Splunk-Search/Extracting-words-in-a-string-with-regular-expressions/m-p/580783#M202329 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225168">@ITWhisperer</a>&nbsp;... i am trying to learn and understand your rex, as i ran it, but it does not fetch the string.. not sure what went wrong.. please suggest.&nbsp;</P><P>i used this search:&nbsp;</P><LI-CODE lang="markup">|makeresults | eval string="Security agent installation attempted Endpoint: (Not Found) Security agent intstallation attempted Endpoint: hostname" | rex ":\s+\(*(?&lt;result&gt;[^)]+)" |table string result</LI-CODE><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="rex-string1.png" style="width: 999px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/17536i77E4DFA37083B5E0/image-size/large?v=v2&amp;px=999" role="button" title="rex-string1.png" alt="rex-string1.png" /></span></P> Wed, 12 Jan 2022 13:48:22 GMT https://community.splunk.com/t5/Splunk-Search/Extracting-words-in-a-string-with-regular-expressions/m-p/580783#M202329 inventsekar 2022-01-12T13:48:22Z https://community.splunk.com/t5/Splunk-Search/Extracting-words-in-a-string-with-regular-expressions/m-p/580787#M202330 <P>By default, rex operates on the _raw field. Either change your eval so it assigns to _raw rather than string or add field=string to the rex</P> Wed, 12 Jan 2022 14:08:31 GMT https://community.splunk.com/t5/Splunk-Search/Extracting-words-in-a-string-with-regular-expressions/m-p/580787#M202330 ITWhisperer 2022-01-12T14:08:31Z https://community.splunk.com/t5/Splunk-Search/Extracting-words-in-a-string-with-regular-expressions/m-p/580808#M202341 <P>Sure <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225168">@ITWhisperer</a>&nbsp;, but, still it found only first match.. the "hostname" was not matched..&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="rex-string2.png" style="width: 999px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/17537iBB8F149237AE431B/image-size/large?v=v2&amp;px=999" role="button" title="rex-string2.png" alt="rex-string2.png" /></span></P> Wed, 12 Jan 2022 15:35:06 GMT https://community.splunk.com/t5/Splunk-Search/Extracting-words-in-a-string-with-regular-expressions/m-p/580808#M202341 inventsekar 2022-01-12T15:35:06Z https://community.splunk.com/t5/Splunk-Search/Extracting-words-in-a-string-with-regular-expressions/m-p/580812#M202344 <P>You can use rex max_match=0 to get multiple matches</P> Wed, 12 Jan 2022 16:05:20 GMT https://community.splunk.com/t5/Splunk-Search/Extracting-words-in-a-string-with-regular-expressions/m-p/580812#M202344 ITWhisperer 2022-01-12T16:05:20Z