https://community.splunk.com/t5/Splunk-Search/Field-extraction-regex-issues/m-p/625144#M217310 <P>Hi Giuseppe,</P><P>Looks like that fails. e.g. zero counts for index = XXXXXXX | stats count by Session.</P><P>I did forget to put a line in the source so likely that is the issue.</P><P>--TIME: 2022-12-23 07:17:09.399<BR />SESSION: Session closed<BR />Client address: 123.CCCCCCC<BR />Client name: CC222C22[123.123.12.123]<BR />User interface: CCCCCCC</P><P>&nbsp;</P> Thu, 22 Dec 2022 23:25:22 GMT svarendorff 2022-12-22T23:25:22Z https://community.splunk.com/t5/Splunk-Search/Field-extraction-regex-issues/m-p/625047#M217281 <P>Having some issue with extraction.</P><P>source:</P><P>SESSION: Session closed<BR />Client address: 123.CCCCCCC<BR />Client name: CC222C22[123.123.12.123]<BR />User interface: CCCCCCC</P><P><A href="https://regex101.com/" target="_blank" rel="noopener">https://regex101.com/</A>&nbsp;shows that&nbsp;^[^\.\n]*SESSION:(?P&lt;Session&gt;.*) will work.</P><P>Splunk when trying returns almost the complete message. Almost like it does not see the new line</P><P>&nbsp;</P><P>Basically I want from SESSION: to the end of line and if Splunk cannot do that to Client.</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 22 Dec 2022 07:30:41 GMT https://community.splunk.com/t5/Splunk-Search/Field-extraction-regex-issues/m-p/625047#M217281 svarendorff 2022-12-22T07:30:41Z https://community.splunk.com/t5/Splunk-Search/Field-extraction-regex-issues/m-p/625050#M217282 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/32097">@svarendorff</a>,</P><P>please try this regex :</P><LI-CODE lang="markup">(?ms)^[^\.\n]*SESSION:(?P&lt;Session&gt;.*)\nClient\s+address</LI-CODE><P>Ciao.</P><P>Giuseppe</P> Thu, 22 Dec 2022 07:38:46 GMT https://community.splunk.com/t5/Splunk-Search/Field-extraction-regex-issues/m-p/625050#M217282 gcusello 2022-12-22T07:38:46Z https://community.splunk.com/t5/Splunk-Search/Field-extraction-regex-issues/m-p/625144#M217310 <P>Hi Giuseppe,</P><P>Looks like that fails. e.g. zero counts for index = XXXXXXX | stats count by Session.</P><P>I did forget to put a line in the source so likely that is the issue.</P><P>--TIME: 2022-12-23 07:17:09.399<BR />SESSION: Session closed<BR />Client address: 123.CCCCCCC<BR />Client name: CC222C22[123.123.12.123]<BR />User interface: CCCCCCC</P><P>&nbsp;</P> Thu, 22 Dec 2022 23:25:22 GMT https://community.splunk.com/t5/Splunk-Search/Field-extraction-regex-issues/m-p/625144#M217310 svarendorff 2022-12-22T23:25:22Z https://community.splunk.com/t5/Splunk-Search/Field-extraction-regex-issues/m-p/625149#M217314 <P>Why struggle with \n when this will do? (New line is one character in SPL's PCRE that is not fully PCRE conformant.)</P><LI-CODE lang="markup">| rex "SESSION: (?&lt;Session&gt;.+)"</LI-CODE><P>This is my emulation</P><LI-CODE lang="markup">| makeresults | fields - _time | eval _raw = "--TIME: 2022-12-23 07:17:09.399 SESSION: Session closed Client address: 123.CCCCCCC Client name: CC222C22[123.123.12.123] User interface: CCCCCCC" ``` data emulation above ```</LI-CODE><P>The result is</P><TABLE border="1" width="100%"><TBODY><TR><TD width="50%" height="25px">Session</TD><TD width="50%" height="25px">_raw</TD></TR><TR><TD width="50%" height="25px"><SPAN>Session closed</SPAN></TD><TD width="50%" height="25px"><SPAN>--TIME: 2022-12-23 07:17:09.399 SESSION: Session closed Client address: 123.CCCCCCC Client name: CC222C22[123.123.12.123] User interface: CCCCCCC</SPAN></TD></TR></TBODY></TABLE> Fri, 23 Dec 2022 01:54:31 GMT https://community.splunk.com/t5/Splunk-Search/Field-extraction-regex-issues/m-p/625149#M217314 yuanliu 2022-12-23T01:54:31Z https://community.splunk.com/t5/Splunk-Search/Field-extraction-regex-issues/m-p/625152#M217316 <P>Thank you Yuanliu. New to this type of items in Splunk so very happy for any advice and assistance.</P><P>So</P><PRE>| rex "SESSION: (?&lt;Session&gt;.+)"</PRE><P>works in a search</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="svarendorff_0-1671762088672.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/23125iE961BE5E0AC95CEE/image-size/medium?v=v2&amp;px=400" role="button" title="svarendorff_0-1671762088672.png" alt="svarendorff_0-1671762088672.png" /></span></P><P>However, as an extraction I get nothing. Likely overlap with another similar that looks for Activity. May be best for these to do just in the search hard coded as the events have so many different items.</P><P>E,g, the second line has Session, Activity, User, etc that I would like to extract.</P><P>&nbsp;</P> Fri, 23 Dec 2022 02:28:17 GMT https://community.splunk.com/t5/Splunk-Search/Field-extraction-regex-issues/m-p/625152#M217316 svarendorff 2022-12-23T02:28:17Z https://community.splunk.com/t5/Splunk-Search/Field-extraction-regex-issues/m-p/625161#M217317 <P>In SPL, newline is often represented by \s (as opposed to \n). &nbsp;I don't know the exact rule to be frank. &nbsp;So, you can try something like this in field extraction</P><LI-CODE lang="markup">"TIME: \d{4}(-\d\d){2} \d\d:\d\d:\d\d\.\d{3}\sSESSION: (?&lt;Session&gt;.+)\sClient address:"</LI-CODE><P>It works with rex.</P> Fri, 23 Dec 2022 06:48:11 GMT https://community.splunk.com/t5/Splunk-Search/Field-extraction-regex-issues/m-p/625161#M217317 yuanliu 2022-12-23T06:48:11Z