https://community.splunk.com/t5/Splunk-Search/How-to-create-rex-to-extract-field/m-p/626972#M217891 <P>The rex command works for me.</P><LI-CODE lang="markup">| rex "identification=(?&lt;identification&gt;\w+)"</LI-CODE> Thu, 12 Jan 2023 20:19:27 GMT richgalloway 2023-01-12T20:19:27Z https://community.splunk.com/t5/Splunk-Search/How-to-create-rex-to-extract-field/m-p/626970#M217889 <P>From here i need to extarct the identification=MLAS, MLA, LAS and VAM<BR />My sample logs:<BR />[12/12/21] 12:10:112 GMT] I6789HIOO applicattion authenticationid=100| |35467577889999| |67775-ghhgfrt-6788h-7667788; clientid="7689-jhgg-8765r-kkjggt"; app=" "; QueryLetter="yard=MS&amp;identification=MLAS&amp;timeRange=EVERYDAY&amp;timePeriod=MINUTES<BR /><BR />[12/12/21] 12:10:112 GMT] I6789HIOO applicattion authenticationid=100| |35467577889999| |67775-ghhgfrt-6788h-7667788; clientid="7689-jhgg-8765r-kkjggt"; app=" "; QueryLetter="yard=MS&amp;identification=MLA&amp;timeRange=EVERYDAY&amp;timePeriod=MINUTES</P> <P>[12/12/21] 12:10:112 GMT] I6789HIOO applicattion authenticationid=100| |35467577889999| |67775-ghhgfrt-6788h-7667788; clientid="7689-jhgg-8765r-kkjggt"; app=" "; QueryLetter="yard=MS&amp;identification=LAS&amp;timeRange=EVERYDAY&amp;timePeriod=MINUTES<BR /><BR />[12/12/21] 12:10:112 GMT] I6789HIOO applicattion authenticationid=100| |35467577889999| |67775-ghhgfrt-6788h-7667788; clientid="7689-jhgg-8765r-kkjggt"; app=" "; QueryLetter="yard=MS&amp;identification=VAM&amp;timeRange=EVERYDAY&amp;timePeriod=MINUTES<BR /><BR />in my selected fileds or intresting fileds&nbsp; indeentification fileds&nbsp; should appear has below:<BR />MLAS<BR />MLA<BR />LAS&nbsp;<BR />VAM<BR /><BR /></P> Thu, 12 Jan 2023 20:40:40 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-rex-to-extract-field/m-p/626970#M217889 Harish2 2023-01-12T20:40:40Z https://community.splunk.com/t5/Splunk-Search/How-to-create-rex-to-extract-field/m-p/626972#M217891 <P>The rex command works for me.</P><LI-CODE lang="markup">| rex "identification=(?&lt;identification&gt;\w+)"</LI-CODE> Thu, 12 Jan 2023 20:19:27 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-rex-to-extract-field/m-p/626972#M217891 richgalloway 2023-01-12T20:19:27Z https://community.splunk.com/t5/Splunk-Search/How-to-create-rex-to-extract-field/m-p/627036#M217921 <P>Are posted logs raw events? &nbsp;Is there some settings in your sourcetype (props.conf) that prevents automatic extraction of the fields you wanted? &nbsp;Because the field names and values are connected by equal sign, Splunk should have already extracted them.</P><P>Here is an emulation of your samples:</P><P>&nbsp;</P><LI-CODE lang="markup">| makeresults | fields - _time | eval data = split("[12/12/21] 12:10:112 GMT] I6789HIOO applicattion authenticationid=100| |35467577889999| |67775-ghhgfrt-6788h-7667788; clientid=\"7689-jhgg-8765r-kkjggt\"; app=\" \"; QueryLetter=\"yard=MS&amp;identification=MLAS&amp;timeRange=EVERYDAY&amp;timePeriod=MINUTES [12/12/21] 12:10:112 GMT] I6789HIOO applicattion authenticationid=100| |35467577889999| |67775-ghhgfrt-6788h-7667788; clientid=\"7689-jhgg-8765r-kkjggt\"; app=\" \"; QueryLetter=\"yard=MS&amp;identification=MLA&amp;timeRange=EVERYDAY&amp;timePeriod=MINUTES [12/12/21] 12:10:112 GMT] I6789HIOO applicattion authenticationid=100| |35467577889999| |67775-ghhgfrt-6788h-7667788; clientid=\"7689-jhgg-8765r-kkjggt\"; app=\" \"; QueryLetter=\"yard=MS&amp;identification=LAS&amp;timeRange=EVERYDAY&amp;timePeriod=MINUTES [12/12/21] 12:10:112 GMT] I6789HIOO applicattion authenticationid=100| |35467577889999| |67775-ghhgfrt-6788h-7667788; clientid=\"7689-jhgg-8765r-kkjggt\"; app=\" \"; QueryLetter=\"yard=MS&amp;identification=VAM&amp;timeRange=EVERYDAY&amp;timePeriod=MINUTES", " ") | mvexpand data | rename data AS _raw | extract</LI-CODE><P>&nbsp;</P><P>&nbsp;These are the fields extracted:</P><TABLE><TBODY><TR><TD>QueryLetter</TD><TD>app</TD><TD>authenticationid</TD><TD>clientid</TD><TD>identification</TD><TD>timePeriod</TD><TD>timeRange</TD></TR><TR><TD>"yard=MS</TD><TD>&nbsp;</TD><TD>100| |35467577889999| |67775-ghhgfrt-6788h-7667788</TD><TD>7689-jhgg-8765r-kkjggt</TD><TD>MLAS</TD><TD>MINUTES</TD><TD>EVERYDAY</TD></TR><TR><TD>"yard=MS</TD><TD>&nbsp;</TD><TD>100| |35467577889999| |67775-ghhgfrt-6788h-7667788</TD><TD>7689-jhgg-8765r-kkjggt</TD><TD>MLA</TD><TD>MINUTES</TD><TD>EVERYDAY</TD></TR><TR><TD>"yard=MS</TD><TD>&nbsp;</TD><TD>100| |35467577889999| |67775-ghhgfrt-6788h-7667788</TD><TD>7689-jhgg-8765r-kkjggt</TD><TD>LAS</TD><TD>MINUTES</TD><TD>EVERYDAY</TD></TR><TR><TD>"yard=MS</TD><TD>&nbsp;</TD><TD>100| |35467577889999| |67775-ghhgfrt-6788h-7667788</TD><TD>7689-jhgg-8765r-kkjggt</TD><TD>VAM</TD><TD>MINUTES</TD><TD>EVERYDAY</TD></TR></TBODY></TABLE> Fri, 13 Jan 2023 08:31:48 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-rex-to-extract-field/m-p/627036#M217921 yuanliu 2023-01-13T08:31:48Z https://community.splunk.com/t5/Splunk-Search/How-to-create-rex-to-extract-field/m-p/627524#M218054 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/213957">@richgalloway</a>&nbsp;<BR />it worked, thank you</P> Wed, 18 Jan 2023 21:14:22 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-rex-to-extract-field/m-p/627524#M218054 Harish2 2023-01-18T21:14:22Z