https://community.splunk.com/t5/Splunk-Search/rex-help/m-p/705173#M238807 <P>The thing is that regex must match your data properly so we can't just "assume" something out of the blue.</P><P>You can fiddle with the regex for yourself (and see how and why it works)</P><P><A href="https://regex101.com/r/VaY5Qn/1" target="_blank">https://regex101.com/r/VaY5Qn/1</A></P> Mon, 25 Nov 2024 08:21:02 GMT PickleRick 2024-11-25T08:21:02Z https://community.splunk.com/t5/Splunk-Search/rex-help/m-p/705102#M238786 <P>probably an easy one, i have two events as follows</P><P>&nbsp;</P><P>thisisfield1 thisisfield2 mynextfield3</P><P>thisisfield1 mynextfield3</P><P>meaning in some events field2 exists, in some it doesnt, when it does i want the value and when it doesnt i want it to be blank and all records have mynextfield3 and i always want that as field3</P><P>i want rex these lines and end up with</P><P>field1&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;field2&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; field3</P><P>thisisfield1&nbsp; &nbsp; thisisfield2&nbsp; &nbsp;mynextfield3</P><P>thisisfield1&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; mynextfield3</P><P>&nbsp;</P> Sat, 23 Nov 2024 13:38:34 GMT https://community.splunk.com/t5/Splunk-Search/rex-help/m-p/705102#M238786 darkins 2024-11-23T13:38:34Z https://community.splunk.com/t5/Splunk-Search/rex-help/m-p/705103#M238787 <P>Assuming that field1 and field3 are always at the beginning and end of the line respectively, and assuming that their values do not contain spaces, and assuming they are separated by spaces, you could use this:</P><LI-CODE lang="markup">^(?&lt;field1&gt;\S+)\s*(?&lt;field2&gt;\S+)?\s(?&lt;field3&gt;\S+)$</LI-CODE><P>&nbsp;</P> Sat, 23 Nov 2024 13:49:19 GMT https://community.splunk.com/t5/Splunk-Search/rex-help/m-p/705103#M238787 marnall 2024-11-23T13:49:19Z https://community.splunk.com/t5/Splunk-Search/rex-help/m-p/705132#M238794 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/272768">@darkins</a>&nbsp;,</P><P>could you share some samples of your logs, highlighting the strings to extract?</P><P>Ciao.</P><P>Giuseppe</P> Sun, 24 Nov 2024 09:17:19 GMT https://community.splunk.com/t5/Splunk-Search/rex-help/m-p/705132#M238794 gcusello 2024-11-24T09:17:19Z https://community.splunk.com/t5/Splunk-Search/rex-help/m-p/705142#M238796 <P>It all depends how your fields are delimited/anchored. <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/263556">@marnall</a> 's answer is obvious if you have just two or three words separated by spaces. If your "layout" is different, you have to adjust it.</P> Sun, 24 Nov 2024 12:07:31 GMT https://community.splunk.com/t5/Splunk-Search/rex-help/m-p/705142#M238796 PickleRick 2024-11-24T12:07:31Z https://community.splunk.com/t5/Splunk-Search/rex-help/m-p/705152#M238801 <P>not sure what else to put, this is what my data looks like</P><P>&nbsp;</P><P>thisisfield1 thisisfield2 mynextfield3</P><P>thisisfield1 mynextfield3</P><P>&nbsp;</P><P>i want these two lines to display as</P><P>&nbsp;</P><P><STRONG>field1&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;field2&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;</STRONG> <STRONG>field3</STRONG></P><P>thisisfield1&nbsp; &nbsp; thisisfield2&nbsp; &nbsp;mynextfield3</P><P>thisisfield1&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; mynextfield3</P> Sun, 24 Nov 2024 23:50:28 GMT https://community.splunk.com/t5/Splunk-Search/rex-help/m-p/705152#M238801 darkins 2024-11-24T23:50:28Z https://community.splunk.com/t5/Splunk-Search/rex-help/m-p/705153#M238802 <P>i guess the key is i think i need to say that field2 equals everything up to an m PRECEDED by a space?</P> Sun, 24 Nov 2024 23:54:51 GMT https://community.splunk.com/t5/Splunk-Search/rex-help/m-p/705153#M238802 darkins 2024-11-24T23:54:51Z https://community.splunk.com/t5/Splunk-Search/rex-help/m-p/705166#M238806 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/272768">@darkins</a>&nbsp;,</P><P>ad also&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/231884">@PickleRick</a>&nbsp;and&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/263556">@marnall</a>&nbsp;said, the regex depends on the log, so it's difficoult to create a regex without some sample.</P><P>If you have three words, separated by a space and somethimes there are only two words without any other rule, it's not possible to define a regex; if instead there's some additional rule in the firstfields or in the nextfield, it's possible to identify a regex.</P><P>Ciao.</P><P>Giuseppe</P> Mon, 25 Nov 2024 07:29:35 GMT https://community.splunk.com/t5/Splunk-Search/rex-help/m-p/705166#M238806 gcusello 2024-11-25T07:29:35Z https://community.splunk.com/t5/Splunk-Search/rex-help/m-p/705173#M238807 <P>The thing is that regex must match your data properly so we can't just "assume" something out of the blue.</P><P>You can fiddle with the regex for yourself (and see how and why it works)</P><P><A href="https://regex101.com/r/VaY5Qn/1" target="_blank">https://regex101.com/r/VaY5Qn/1</A></P> Mon, 25 Nov 2024 08:21:02 GMT https://community.splunk.com/t5/Splunk-Search/rex-help/m-p/705173#M238807 PickleRick 2024-11-25T08:21:02Z