https://community.splunk.com/t5/Splunk-Search/Regular-Expression/m-p/698057#M237093 <P>HI , I want to extract purple part. But Severity can be Critical as well .<BR /><BR /><BR />[<SPAN class="">Time:29-08@17:52:05.880</SPAN>] [<SPAN class="">60569130</SPAN>] <SPAN class="">17:52:28.604</SPAN> <SPAN class="">10.82.10.245</SPAN> <SPAN class="">local0.notice</SPAN> [<SPAN class="">S=2952486</SPAN>] [<SPAN class="">BID=d57afa:30</SPAN>] <SPAN class=""><SPAN class="">RAISE-ALARM</SPAN>:acBoardEthernetLinkAlarm:</SPAN> [<SPAN class="">KOREASBC1</SPAN>] <SPAN class="">Ethernet</SPAN> <SPAN class="">link</SPAN> <SPAN class="">alarm.</SPAN> <SPAN class="">LAN</SPAN> <SPAN class="">port</SPAN> <SPAN class="">number</SPAN> <SPAN class="">3</SPAN> <SPAN class="">is</SPAN> <SPAN class="">down.</SPAN>; <FONT color="#CC99FF"><SPAN class="">Severity:minor</SPAN></FONT>; <SPAN class="">Source:Board#1/EthernetLink#3</SPAN>; <SPAN class="">Unique</SPAN> <SPAN class="">ID:206</SPAN>; <SPAN class="">Additional</SPAN> <SPAN class="">Info1:GigabitEthernet</SPAN> <SPAN class="">4/3</SPAN>; <SPAN class="">Additional</SPAN> <SPAN class="">Info2:SEL-SBC01</SPAN>; [<SPAN class="">Time:29-08@17:52:28.604</SPAN>] [<SPAN class="">60569131</SPAN>] <SPAN class="">17:52:28.605</SPAN> <SPAN class="">10.82.10.245</SPAN> <SPAN class="">local0.warning</SPAN> [<SPAN class="">S=2952487</SPAN>] [<SPAN class="">BID=d57afa:30</SPAN>] <SPAN class=""><SPAN class="">RAISE-ALARM</SPAN>:acEthernetGroupAlarm:</SPAN> [<SPAN class="">KOREASBC1</SPAN>] <SPAN class="">Ethernet</SPAN> <SPAN class="">Group</SPAN> <SPAN class="">alarm.</SPAN> <SPAN class="">Ethernet</SPAN> <SPAN class="">Group</SPAN> <SPAN class="">2</SPAN> <SPAN class="">is</SPAN> <SPAN class="">Down.</SPAN>; <FONT color="#CC99FF"><SPAN class="">Severity:major</SPAN></FONT>; <SPAN class="">Source:Board#1/EthernetGroup#2</SPAN>; <SPAN class="">Unique</SPAN> <SPAN class="">ID:207</SPAN>; <SPAN class="">Additional</SPAN> <SPAN class="">Info1:</SPAN>; [<SPAN class="">Time:29-08@17:52:28.605</SPAN>] [<SPAN class="">60569132</SPAN>] <SPAN class="">17:52:28.721</SPAN> <SPAN class="">10.82.10.245</SPAN> <SPAN class="">local0.notice</SPAN> [<SPAN class="">S=2952488</SPAN>] [<SPAN class="">BID=d57afa:30</SPAN>] <SPAN class="">SYS_HA:</SPAN> <SPAN class="">Redundant</SPAN> <SPAN class="">unit</SPAN> <SPAN class="">physical</SPAN> <SPAN class="">network</SPAN> <SPAN class="">interface</SPAN> <SPAN class="">error</SPAN> <SPAN class="">fixed.</SPAN> [<SPAN class="">Code:0x46000</SPAN>] [<SPAN class="">Time:29-08@17:52:28.721</SPAN>] [<SPAN class="">60569133]</SPAN></P> Tue, 03 Sep 2024 10:55:10 GMT Siddharthnegi 2024-09-03T10:55:10Z https://community.splunk.com/t5/Splunk-Search/Regular-Expression/m-p/698057#M237093 <P>HI , I want to extract purple part. But Severity can be Critical as well .<BR /><BR /><BR />[<SPAN class="">Time:29-08@17:52:05.880</SPAN>] [<SPAN class="">60569130</SPAN>] <SPAN class="">17:52:28.604</SPAN> <SPAN class="">10.82.10.245</SPAN> <SPAN class="">local0.notice</SPAN> [<SPAN class="">S=2952486</SPAN>] [<SPAN class="">BID=d57afa:30</SPAN>] <SPAN class=""><SPAN class="">RAISE-ALARM</SPAN>:acBoardEthernetLinkAlarm:</SPAN> [<SPAN class="">KOREASBC1</SPAN>] <SPAN class="">Ethernet</SPAN> <SPAN class="">link</SPAN> <SPAN class="">alarm.</SPAN> <SPAN class="">LAN</SPAN> <SPAN class="">port</SPAN> <SPAN class="">number</SPAN> <SPAN class="">3</SPAN> <SPAN class="">is</SPAN> <SPAN class="">down.</SPAN>; <FONT color="#CC99FF"><SPAN class="">Severity:minor</SPAN></FONT>; <SPAN class="">Source:Board#1/EthernetLink#3</SPAN>; <SPAN class="">Unique</SPAN> <SPAN class="">ID:206</SPAN>; <SPAN class="">Additional</SPAN> <SPAN class="">Info1:GigabitEthernet</SPAN> <SPAN class="">4/3</SPAN>; <SPAN class="">Additional</SPAN> <SPAN class="">Info2:SEL-SBC01</SPAN>; [<SPAN class="">Time:29-08@17:52:28.604</SPAN>] [<SPAN class="">60569131</SPAN>] <SPAN class="">17:52:28.605</SPAN> <SPAN class="">10.82.10.245</SPAN> <SPAN class="">local0.warning</SPAN> [<SPAN class="">S=2952487</SPAN>] [<SPAN class="">BID=d57afa:30</SPAN>] <SPAN class=""><SPAN class="">RAISE-ALARM</SPAN>:acEthernetGroupAlarm:</SPAN> [<SPAN class="">KOREASBC1</SPAN>] <SPAN class="">Ethernet</SPAN> <SPAN class="">Group</SPAN> <SPAN class="">alarm.</SPAN> <SPAN class="">Ethernet</SPAN> <SPAN class="">Group</SPAN> <SPAN class="">2</SPAN> <SPAN class="">is</SPAN> <SPAN class="">Down.</SPAN>; <FONT color="#CC99FF"><SPAN class="">Severity:major</SPAN></FONT>; <SPAN class="">Source:Board#1/EthernetGroup#2</SPAN>; <SPAN class="">Unique</SPAN> <SPAN class="">ID:207</SPAN>; <SPAN class="">Additional</SPAN> <SPAN class="">Info1:</SPAN>; [<SPAN class="">Time:29-08@17:52:28.605</SPAN>] [<SPAN class="">60569132</SPAN>] <SPAN class="">17:52:28.721</SPAN> <SPAN class="">10.82.10.245</SPAN> <SPAN class="">local0.notice</SPAN> [<SPAN class="">S=2952488</SPAN>] [<SPAN class="">BID=d57afa:30</SPAN>] <SPAN class="">SYS_HA:</SPAN> <SPAN class="">Redundant</SPAN> <SPAN class="">unit</SPAN> <SPAN class="">physical</SPAN> <SPAN class="">network</SPAN> <SPAN class="">interface</SPAN> <SPAN class="">error</SPAN> <SPAN class="">fixed.</SPAN> [<SPAN class="">Code:0x46000</SPAN>] [<SPAN class="">Time:29-08@17:52:28.721</SPAN>] [<SPAN class="">60569133]</SPAN></P> Tue, 03 Sep 2024 10:55:10 GMT https://community.splunk.com/t5/Splunk-Search/Regular-Expression/m-p/698057#M237093 Siddharthnegi 2024-09-03T10:55:10Z https://community.splunk.com/t5/Splunk-Search/Regular-Expression/m-p/698061#M237096 <P><A href="https://regex101.com/r/Op8H3R/1" target="_blank">https://regex101.com/r/Op8H3R/1</A></P> Tue, 03 Sep 2024 11:02:21 GMT https://community.splunk.com/t5/Splunk-Search/Regular-Expression/m-p/698061#M237096 ITWhisperer 2024-09-03T11:02:21Z https://community.splunk.com/t5/Splunk-Search/Regular-Expression/m-p/743528#M241104 <P>below also give same results, please let me know if its right too..</P><P>"(?&lt;severity&gt;Severity:\w+;)"</P> Fri, 04 Apr 2025 13:39:00 GMT https://community.splunk.com/t5/Splunk-Search/Regular-Expression/m-p/743528#M241104 okumar1 2025-04-04T13:39:00Z