topic Re: Regex Help to extract fields in Splunk Search https://community.splunk.com/t5/Splunk-Search/Regex-Help-to-extract-fields/m-p/678174#M231932 <P>Before I invest too much time working on a regex, please can you share your events in a code block &lt;/&gt;. Also, do your events really have "Part" in them? (Regex matches in patterns and unless the patterns are accurate, the match will not be found.)</P> Wed, 21 Feb 2024 11:11:52 GMT ITWhisperer 2024-02-21T11:11:52Z Regex Help to extract fields https://community.splunk.com/t5/Splunk-Search/Regex-Help-to-extract-fields/m-p/678171#M231929 <P>Can some one please help with the regex that can be used to view the below event in tabular format.</P><P>Event</P><P>INFO &gt; 2024-02-02 16:12:12,222 - [application logs message]:</P><P>==============================================</P><P>Part 1.&nbsp; &nbsp; session start is completed</P><P>Part 2.&nbsp; &nbsp; &nbsp;Before app message row count&nbsp; &nbsp; : 9000000</P><P>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; Before app consolidation row count&nbsp; &nbsp; :8888800</P><P>Part 3.&nbsp; &nbsp; &nbsp;append message completed</P><P>Part 4.&nbsp; &nbsp; &nbsp;After app message flush row count : 0</P><P>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;After app message flush row count&nbsp; &nbsp; &nbsp;:1000000</P><P>=================================================</P><P>&nbsp;</P><P>How can we use regex and get the fields from above event and show them in table like below</P><P><STRONG>parts&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;message&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; count</STRONG></P><P>Part 1&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;session start is completed</P><P>part 2&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;Before app message row count&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;9000000</P><P>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;8888800</P><P>part 3&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;append message completed</P> Wed, 21 Feb 2024 09:31:29 GMT https://community.splunk.com/t5/Splunk-Search/Regex-Help-to-extract-fields/m-p/678171#M231929 Harikiranjammul 2024-02-21T09:31:29Z Re: Regex Help to extract fields https://community.splunk.com/t5/Splunk-Search/Regex-Help-to-extract-fields/m-p/678174#M231932 <P>Before I invest too much time working on a regex, please can you share your events in a code block &lt;/&gt;. Also, do your events really have "Part" in them? (Regex matches in patterns and unless the patterns are accurate, the match will not be found.)</P> Wed, 21 Feb 2024 11:11:52 GMT https://community.splunk.com/t5/Splunk-Search/Regex-Help-to-extract-fields/m-p/678174#M231932 ITWhisperer 2024-02-21T11:11:52Z