https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-field-from-the-text/m-p/670530#M229852 <P>This string appears twice, which one do you want to extract - in order for rex to find the right string, you need to define the pattern of characters around (either before, after or both) - unless you always want<SPAN>&nbsp;ib12345, in which case, this should work</SPAN></P><LI-CODE lang="markup">| rex "(?&lt;field&gt;ib12345)"</LI-CODE> Sat, 02 Dec 2023 15:24:34 GMT ITWhisperer 2023-12-02T15:24:34Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-field-from-the-text/m-p/670528#M229851 <P><SPAN class="">Dec</SPAN> <SPAN class="">2</SPAN> <SPAN class="">09:02:17</SPAN>&nbsp;server1&nbsp;<SPAN class="">sudo:</SPAN>&nbsp;ib12345&nbsp;<SPAN class="">:</SPAN> <SPAN class="">TTY=pts/0</SPAN><SPAN> ; </SPAN><SPAN class="">PWD=/home/ib12345</SPAN><SPAN>&nbsp;; </SPAN><SPAN class="">USER=root</SPAN><SPAN> ; </SPAN><SPAN class=""><SPAN class="">COMMAND=/bin/su</SPAN> -</SPAN></P><P>&nbsp;</P><P><SPAN class="">I need to extract ib12345 from the above data . </SPAN></P> Sat, 02 Dec 2023 14:42:36 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-field-from-the-text/m-p/670528#M229851 Hema_Nithya 2023-12-02T14:42:36Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-field-from-the-text/m-p/670530#M229852 <P>This string appears twice, which one do you want to extract - in order for rex to find the right string, you need to define the pattern of characters around (either before, after or both) - unless you always want<SPAN>&nbsp;ib12345, in which case, this should work</SPAN></P><LI-CODE lang="markup">| rex "(?&lt;field&gt;ib12345)"</LI-CODE> Sat, 02 Dec 2023 15:24:34 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-field-from-the-text/m-p/670530#M229852 ITWhisperer 2023-12-02T15:24:34Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-field-from-the-text/m-p/670532#M229854 <P><SPAN class="">sudo:</SPAN>&nbsp;ib12345&nbsp;<BR /><BR />Value ib12345 will change not constant . It is upi .&nbsp;</P> Sat, 02 Dec 2023 15:28:17 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-field-from-the-text/m-p/670532#M229854 Hema_Nithya 2023-12-02T15:28:17Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-field-from-the-text/m-p/670533#M229855 <P>Assuming your spacing in your example is consistent with your events, then this should work</P><LI-CODE lang="markup">| rex "sudo:\s(?&lt;field&gt;\S+)\s"</LI-CODE> Sat, 02 Dec 2023 15:31:03 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-field-from-the-text/m-p/670533#M229855 ITWhisperer 2023-12-02T15:31:03Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-field-from-the-text/m-p/670534#M229856 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/92012">@Hema_Nithya</a>&nbsp;,</P><P>please try this:</P><LI-CODE lang="markup">! rex "sudo:\s+(?&lt;field&gt;[^ ]+)"</LI-CODE><P>that you can test at&nbsp;<A href="https://regex101.com/r/uBkpRh/1" target="_blank">https://regex101.com/r/uBkpRh/1</A></P><P>Ciao.</P><P>Giuseppe</P> Sat, 02 Dec 2023 15:34:29 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-field-from-the-text/m-p/670534#M229856 gcusello 2023-12-02T15:34:29Z