topic Re: Extract for field in Splunk Search https://community.splunk.com/t5/Splunk-Search/How-to-use-extract-using-rex-command/m-p/620366#M215666 <P>Assuming the field is as written and is in the _raw field</P><LI-CODE lang="markup">| rex "user id\":\"(?&lt;user_id&gt;[^\"]*)\",\s+\"Expense Date\":\"(?&lt;expense_date&gt;[^\"]*)"</LI-CODE> Thu, 10 Nov 2022 05:36:54 GMT bowesmana 2022-11-10T05:36:54Z How to use extract using rex command? https://community.splunk.com/t5/Splunk-Search/How-to-use-extract-using-rex-command/m-p/620364#M215665 <P><SPAN>"</SPAN><SPAN class="">Context</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>"{"user</SPAN>&nbsp;id<SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>"</SPAN><SPAN class="">jane.doe.sen</SPAN><SPAN>", "<SPAN class="">Expense</SPAN> <SPAN class="">Date</SPAN>"<SPAN class="">:</SPAN>"11<SPAN class="">/10/2022</SPAN>",</SPAN></P> <P><SPAN>How to use extract this rex command?&nbsp; &nbsp; &nbsp;</SPAN></P> <P><SPAN>to come up result like&nbsp;</SPAN></P> <TABLE border="0" width="128" cellspacing="0" cellpadding="0"> <TBODY> <TR> <TD width="64" height="20">user&nbsp;id</TD> <TD width="64">Expense Date</TD> </TR> <TR> <TD height="20">jane.doe.sen</TD> <TD>9/6/2022</TD> </TR> </TBODY> </TABLE> <P><SPAN>please help&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;</SPAN></P> Thu, 10 Nov 2022 15:35:59 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-extract-using-rex-command/m-p/620364#M215665 wvsgo215 2022-11-10T15:35:59Z Re: Extract for field https://community.splunk.com/t5/Splunk-Search/How-to-use-extract-using-rex-command/m-p/620366#M215666 <P>Assuming the field is as written and is in the _raw field</P><LI-CODE lang="markup">| rex "user id\":\"(?&lt;user_id&gt;[^\"]*)\",\s+\"Expense Date\":\"(?&lt;expense_date&gt;[^\"]*)"</LI-CODE> Thu, 10 Nov 2022 05:36:54 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-extract-using-rex-command/m-p/620366#M215666 bowesmana 2022-11-10T05:36:54Z