https://community.splunk.com/t5/Splunk-Search/How-to-extract-value-from-a-field/m-p/601359#M209290 <P>There was a typo in my answer.&nbsp; I've fixed it.</P> Fri, 10 Jun 2022 13:18:26 GMT richgalloway 2022-06-10T13:18:26Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-value-from-a-field/m-p/601261#M209267 <P>Good Afternoon!</P> <P>I have a search (code example #1) that looks for the EventData_Xml field looking at programs installed. I'm creating a report to show what where and when. Trying to cut out the unneeded data and show just the program name, such as Microsoft Edge in the "Program Installed" column in the code example #2 below.</P> <P>Thank you in advance for any assistance. I appreciate it.</P> <P>&nbsp;</P> <LI-CODE lang="markup">index=wineventlog EventData_Xml="*" AND EventID=11707 | table host _time EventData_Xml | rename host as "Host", _time as "Time", EventData_Xml as "Program Installed" | convert ctime(Time)</LI-CODE><LI-CODE lang="markup">&lt;Data&gt;Product: Microsoft Edge -- Installation completed successfully.&lt;/Data&gt;&lt;Data&gt;(NULL)&lt;/Data&gt;&lt;Data&gt;(NULL)&lt;/Data&gt;&lt;Data&gt;(NULL)&lt;/Data&gt;&lt;Data&gt;(NULL)&lt;/Data&gt;&lt;Data&gt;(NULL)&lt;/Data&gt;&lt;Data&gt;&lt;/Data&gt;&lt;Binary&gt;7B34443639394544332D333539302D334635352D424638302D3732374546444242313032467D&lt;/Binary&gt;</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> Thu, 09 Jun 2022 21:01:54 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-value-from-a-field/m-p/601261#M209267 thebankitgui 2022-06-09T21:01:54Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-value-from-a-field/m-p/601285#M209278 <P>The <FONT face="courier new,courier">rex</FONT> command can do that.</P><P>&nbsp;</P><LI-CODE lang="markup">index=wineventlog EventData_Xml="*" AND EventID=11707 | rex field=EventData_Xml "Product: (?&lt;Product&gt;[^-]+)" | table host _time Product | rename host as "Host", _time as "Time", Product as "Program Installed" | convert ctime(Time)</LI-CODE><P>&nbsp;</P><P>&nbsp;</P> Fri, 10 Jun 2022 13:18:08 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-value-from-a-field/m-p/601285#M209278 richgalloway 2022-06-10T13:18:08Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-value-from-a-field/m-p/601341#M209285 <P>This is what I get with that string. This is the problem row. Thank you for your help.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="The results of this query." style="width: 999px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/20034iDE35ED9B0A3588B8/image-size/large?v=v2&amp;px=999" role="button" title="RexResults.jpg" alt="The results of this query." /><span class="lia-inline-image-caption" onclick="event.preventDefault();">The results of this query.</span></span></P> Fri, 10 Jun 2022 12:23:48 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-value-from-a-field/m-p/601341#M209285 thebankitgui 2022-06-10T12:23:48Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-value-from-a-field/m-p/601359#M209290 <P>There was a typo in my answer.&nbsp; I've fixed it.</P> Fri, 10 Jun 2022 13:18:26 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-value-from-a-field/m-p/601359#M209290 richgalloway 2022-06-10T13:18:26Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-value-from-a-field/m-p/601360#M209291 <P>Thank you very much! Looks nice and clean now. <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Fri, 10 Jun 2022 13:26:37 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-value-from-a-field/m-p/601360#M209291 thebankitgui 2022-06-10T13:26:37Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-value-from-a-field/m-p/601362#M209293 <P>Any thoughts on sorting by time descending? I've tried a few different ways and it only sorts by the month at the beginning with 1 on top or 12 on top but not accurate to the whole date.<BR /><BR />I've tried | sort _time desc and asc and few other variations. Thank you.</P><P>&nbsp;</P><P>Edit: Disregard, one well placed "| sort - _time" before the table sorted by desc.</P><P>&nbsp;</P> Fri, 10 Jun 2022 14:56:05 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-value-from-a-field/m-p/601362#M209293 thebankitgui 2022-06-10T14:56:05Z