https://community.splunk.com/t5/Splunk-Search/Help-with-Regex/m-p/625676#M217475 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/252586">@MrIncredible</a>,</P><P>you can use:</P><P>&nbsp;</P><LI-CODE lang="markup">| rex "facilityAlias\":\"(?&lt;facility&gt;.*)\",\"systemName"</LI-CODE><P>&nbsp;</P><P>or (better):</P><P>&nbsp;</P><LI-CODE lang="markup">| rex "facilityAlias\":\"(?&lt;facility&gt;[^\"]*)"</LI-CODE><P>&nbsp;</P><P>that's more generic and you can test at <A href="https://regex101.com/r/jnbSgk/1" target="_blank">https://regex101.com/r/jnbSgk/1</A> .</P><P>Ciao.</P><P>Giuseppe</P> Tue, 03 Jan 2023 08:25:15 GMT gcusello 2023-01-03T08:25:15Z https://community.splunk.com/t5/Splunk-Search/Help-with-Regex/m-p/625668#M217470 <P><SPAN>&nbsp;I have a field "facilityAlias" for which location can be changed in every api log file. I have to extract that field using Regex method. I have tried Regex statement but not getting expected result.</SPAN></P> <P><SPAN>Regex statement: rex field=_raw "facilityAlias\":\"(?&lt;facility</SPAN><SPAN>&gt;.*)\","</SPAN><BR /><BR /><SPAN>expected result: Parc de Salut Mar Barcelona</SPAN><BR /><SPAN>current result: Parc de Salut Mar Barcelona","systemName":"CMPSB</SPAN></P> <P>&nbsp;</P> <P>Sample Log file:</P> <P>sample log: 2023-01-02 23:36:58,521 [[MuleRuntime].uber.3869: [abcd-message-kdhskhdsk-api].Delete_msg_from_queue.BLOCKING @27fe0275] INFO&nbsp; com.skdhksh.jsdhjshd.hsd.logging.internal.CustomLoggerOperations - {"environment":"stag36rcf_eu-env","applicationName":"abcd-message-kdhskhdsk-api","correlationId":"kshddhks-3o4u-jshd8-aksdbkadkahd","apiProcessingTime":347,"totalProcessingTime":740,"tracePoint":"END","logMessage":"{\n&nbsp; \"url\": \"abcd\",\n&nbsp; \"bucketName\": \"dipeus-data-store\",\n&nbsp; \"s3versionID\": \"shdkshdkshdkshdkshdkshdkjshd\",\n&nbsp; \"s3key\": \"ljdljdlajldj]dsdsd\ksdjksjdksjdksjdksjksjd\ksdjksjd\"\n}","txnMetadata":{"bundleId":"ahsdkhsdh-skjdhshdkshd-skdhshdks-skdhkshd","messageType":"abcd","messageSubType":"kdshdkshdks","facilityAlias":"Parc de Salut Mar Barcelona","systemName":"CMPSB","transactionStartTime":1672702617781,"relatesToPatientMerge":false,"inputPayload":"adhkjshdkshdkshdkshd"},"apiStartTime":"1672702618174"}</P> Tue, 03 Jan 2023 16:08:07 GMT https://community.splunk.com/t5/Splunk-Search/Help-with-Regex/m-p/625668#M217470 MrIncredible 2023-01-03T16:08:07Z https://community.splunk.com/t5/Splunk-Search/Help-with-Regex/m-p/625676#M217475 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/252586">@MrIncredible</a>,</P><P>you can use:</P><P>&nbsp;</P><LI-CODE lang="markup">| rex "facilityAlias\":\"(?&lt;facility&gt;.*)\",\"systemName"</LI-CODE><P>&nbsp;</P><P>or (better):</P><P>&nbsp;</P><LI-CODE lang="markup">| rex "facilityAlias\":\"(?&lt;facility&gt;[^\"]*)"</LI-CODE><P>&nbsp;</P><P>that's more generic and you can test at <A href="https://regex101.com/r/jnbSgk/1" target="_blank">https://regex101.com/r/jnbSgk/1</A> .</P><P>Ciao.</P><P>Giuseppe</P> Tue, 03 Jan 2023 08:25:15 GMT https://community.splunk.com/t5/Splunk-Search/Help-with-Regex/m-p/625676#M217475 gcusello 2023-01-03T08:25:15Z https://community.splunk.com/t5/Splunk-Search/Help-with-Regex/m-p/625678#M217477 <P>Many thanks&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/161352">@gcusello</a>&nbsp;for your quick reply. 2nd option will work as in 1st option i don't want to restrict it with particular postfix.</P> Tue, 03 Jan 2023 09:14:36 GMT https://community.splunk.com/t5/Splunk-Search/Help-with-Regex/m-p/625678#M217477 MrIncredible 2023-01-03T09:14:36Z