https://community.splunk.com/t5/Splunk-Search/Extract-fields-with-a-regular-expression/m-p/108675#M28315 <P>Can you update the quesiton with a specific example of the line you're extracting this data from? What data is in the "LOG_ID", "DEVICE_DATA", and "USERNAME" fields (numbers only, spaces, etc)?</P> Mon, 28 Sep 2020 14:26:52 GMT dglinder 2020-09-28T14:26:52Z https://community.splunk.com/t5/Splunk-Search/Extract-fields-with-a-regular-expression/m-p/108673#M28313 <P>I have fields in the format of <CODE>LOG_ID</CODE>, <CODE>DEVICE_DATA</CODE>, <CODE>USERNAME</CODE>, that I'd like to extract, and I'd like to exclude the default Splunk fields like <CODE>_time</CODE>, <CODE>*_raw</CODE>, and <CODE>timeendpos</CODE>, <CODE>timestartpos</CODE>, etc. Is that possible to do through the <CODE>regex</CODE> command? Can I chain that with <CODE>table</CODE> somehow?</P> Mon, 29 Jul 2013 14:48:52 GMT https://community.splunk.com/t5/Splunk-Search/Extract-fields-with-a-regular-expression/m-p/108673#M28313 narabhut 2013-07-29T14:48:52Z https://community.splunk.com/t5/Splunk-Search/Extract-fields-with-a-regular-expression/m-p/108674#M28314 <P>No, the <CODE>regex</CODE> command is used for filtering search results based on a regular expression. The <CODE>rex</CODE> command is used for extracting fields out of events though. Including/excluding fields is done using the <CODE>fields</CODE> command.</P> <P>Based on your question it sounds like you should take a tour of how Splunk works. Field extractions are covered here: <A href="http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Addfieldsatsearchtime">http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Addfieldsatsearchtime</A></P> <P>And there's an excellent Splunk tutorial: <A href="http://docs.splunk.com/Documentation/Splunk/latest/Tutorial/WelcometotheSplunkTutorial">http://docs.splunk.com/Documentation/Splunk/latest/Tutorial/WelcometotheSplunkTutorial</A></P> Mon, 29 Jul 2013 15:15:24 GMT https://community.splunk.com/t5/Splunk-Search/Extract-fields-with-a-regular-expression/m-p/108674#M28314 Ayn 2013-07-29T15:15:24Z https://community.splunk.com/t5/Splunk-Search/Extract-fields-with-a-regular-expression/m-p/108675#M28315 <P>Can you update the quesiton with a specific example of the line you're extracting this data from? What data is in the "LOG_ID", "DEVICE_DATA", and "USERNAME" fields (numbers only, spaces, etc)?</P> Mon, 28 Sep 2020 14:26:52 GMT https://community.splunk.com/t5/Splunk-Search/Extract-fields-with-a-regular-expression/m-p/108675#M28315 dglinder 2020-09-28T14:26:52Z https://community.splunk.com/t5/Splunk-Search/Extract-fields-with-a-regular-expression/m-p/108676#M28316 <P>The data in the fields can contain anything, so I don't think I can do filtering based on that. An example would be LOG_ID=12312 DEVICE_DATA="random stuff" USERNAME="DAVIDTEST"</P> Mon, 28 Sep 2020 14:26:55 GMT https://community.splunk.com/t5/Splunk-Search/Extract-fields-with-a-regular-expression/m-p/108676#M28316 narabhut 2020-09-28T14:26:55Z https://community.splunk.com/t5/Splunk-Search/Extract-fields-with-a-regular-expression/m-p/108677#M28317 <P>If you have "key=value" pairs, Splunk should be extracting them as a field by the name of "key" and the corresponding value "value".</P> <P>You should be able to limit your searches by simply adding a the field = value as part of your search terms. (Example: "LOG_ID=12312")</P> <P>If you are interested in displaying only certain fields in a table format, then piping into a table command and listing the fields you want is enough.</P> Mon, 29 Jul 2013 19:05:23 GMT https://community.splunk.com/t5/Splunk-Search/Extract-fields-with-a-regular-expression/m-p/108677#M28317 aholzer 2013-07-29T19:05:23Z