https://community.splunk.com/t5/Splunk-Search/Regex-to-extract-string-from-field-when-characters-5-and-6-match/m-p/583558#M203225 <P>OK, that's interesting because it doesn't match the example you gave</P><P><A href="https://regex101.com/r/MSD0rq/1" target="_blank">https://regex101.com/r/MSD0rq/1</A></P><P>&nbsp;</P> Thu, 03 Feb 2022 14:29:42 GMT ITWhisperer 2022-02-03T14:29:42Z https://community.splunk.com/t5/Splunk-Search/Regex-to-extract-string-from-field-when-characters-5-and-6-match/m-p/583438#M203168 <P>Hello,</P><P>I have a field 'narrative' which contains long strings describing what happened to a piece of equipment.&nbsp; Within that string in various locations, there is a substring that identifies the piece of equipment (Yes, it would be much better to have this as a defined field on its own, no I don't know why the sysadmins set it up this way, I just inherited it).&nbsp; The equipment identifier is a 16 character string, and the 5th and 6th characters are always the state abbreviation (ex. NJ for New Jersey, TX for Texas, etc.).&nbsp; It's not always the first substring within the field, so I can't just count to the first 5:6 characters.</P><P>Example: [may or may not be data here] 1234NJ56ABCD1234 [maybe some more data here]</P><P>I want to extract that 16 char substring that has a valid state abbreviation into a new field called "equip_id".&nbsp; I've tried rex narrative= "(\d{5}|\w{5})?(?&lt;equip_id&gt;\w{1})" but it is so far failing, and plus I think this would only get the 5th char.&nbsp; Plus I can't figure out where to put in the list of acceptable things to match against.&nbsp;&nbsp;</P><P>Any help appreciated.</P> Wed, 02 Feb 2022 18:22:24 GMT https://community.splunk.com/t5/Splunk-Search/Regex-to-extract-string-from-field-when-characters-5-and-6-match/m-p/583438#M203168 andyd 2022-02-02T18:22:24Z https://community.splunk.com/t5/Splunk-Search/Regex-to-extract-string-from-field-when-characters-5-and-6-match/m-p/583442#M203171 <P>You could list groups of 2 letter state abbreviations with | between (or operator)</P><P>Multiple rex commands are fine as it only sets equip_id if there is a match</P><LI-CODE lang="markup">| rex "\s?(?&lt;equip_id&gt;\w{4}(NJ|TX|CT)\w{10})\s" | rex "\s?(?&lt;equip_id&gt;\w{4}(NY|MA|CA|WA)\w{10})\s"</LI-CODE> Wed, 02 Feb 2022 18:41:27 GMT https://community.splunk.com/t5/Splunk-Search/Regex-to-extract-string-from-field-when-characters-5-and-6-match/m-p/583442#M203171 ITWhisperer 2022-02-02T18:41:27Z https://community.splunk.com/t5/Splunk-Search/Regex-to-extract-string-from-field-when-characters-5-and-6-match/m-p/583556#M203224 <P>Here's what we ended up using:</P><P><SPAN>&nbsp;rex field=narrative "(?&lt;equip_id&gt;[A-Z]{4}([NY|NJ|TX|OR]{2})[A-Za-z0-9]{10})"</SPAN></P> Thu, 03 Feb 2022 14:21:11 GMT https://community.splunk.com/t5/Splunk-Search/Regex-to-extract-string-from-field-when-characters-5-and-6-match/m-p/583556#M203224 andyd 2022-02-03T14:21:11Z https://community.splunk.com/t5/Splunk-Search/Regex-to-extract-string-from-field-when-characters-5-and-6-match/m-p/583558#M203225 <P>OK, that's interesting because it doesn't match the example you gave</P><P><A href="https://regex101.com/r/MSD0rq/1" target="_blank">https://regex101.com/r/MSD0rq/1</A></P><P>&nbsp;</P> Thu, 03 Feb 2022 14:29:42 GMT https://community.splunk.com/t5/Splunk-Search/Regex-to-extract-string-from-field-when-characters-5-and-6-match/m-p/583558#M203225 ITWhisperer 2022-02-03T14:29:42Z