https://community.splunk.com/t5/Splunk-Search/Field-extraction/m-p/114853#M30394 <P>Thanks guys, it worked..I am more comfortable using 00..{3}([^\s]+). this is exactly filling my requirement. </P> Thu, 29 Jan 2015 15:21:56 GMT Navanitha 2015-01-29T15:21:56Z https://community.splunk.com/t5/Splunk-Search/Field-extraction/m-p/114848#M30389 <P>I am trying to extract the field starting with C ending with I from following strings. Can anyone pls suggest the appropriate regex for this.</P> <P>201421222062713TK 00.?4_CVH03I VY SCN P43833244199105 02P87562824579SAI LAKKAMANENI </P> <P>1120082628TA 00.?4DCGPV08I GTALS 295211P3055E464 01Q000900046SAHEER SHAIK12 </P> <P>2014112980059TL 00.C&amp;&amp;CGPV08I GTALS 295211P3055E464 0TI000200546280SRIDHAR ALAPARTHI </P> Thu, 29 Jan 2015 13:13:51 GMT https://community.splunk.com/t5/Splunk-Search/Field-extraction/m-p/114848#M30389 Navanitha 2015-01-29T13:13:51Z https://community.splunk.com/t5/Splunk-Search/Field-extraction/m-p/114849#M30390 <P>It's not clear exactly what you want to extract since there are multiple I's in your sample data. However, the regex string <CODE>(C.*?I)</CODE> should get you started.</P> Thu, 29 Jan 2015 13:31:08 GMT https://community.splunk.com/t5/Splunk-Search/Field-extraction/m-p/114849#M30390 richgalloway 2015-01-29T13:31:08Z https://community.splunk.com/t5/Splunk-Search/Field-extraction/m-p/114850#M30391 <P>I want to extract fields with CVH03I / CGPV08I / CGPV08I. regex which you gave is matching the field in first sting only. I would like to match it with other two stings.</P> Thu, 29 Jan 2015 13:41:30 GMT https://community.splunk.com/t5/Splunk-Search/Field-extraction/m-p/114850#M30391 Navanitha 2015-01-29T13:41:30Z https://community.splunk.com/t5/Splunk-Search/Field-extraction/m-p/114851#M30392 <P>According to RegExr, the string matches the first two examples. The challenge in the third example is there are two C's. See if this works better for you:</P> <PRE><CODE>[_?&amp;].*?(C.*?I) </CODE></PRE> Thu, 29 Jan 2015 14:13:53 GMT https://community.splunk.com/t5/Splunk-Search/Field-extraction/m-p/114851#M30392 richgalloway 2015-01-29T14:13:53Z https://community.splunk.com/t5/Splunk-Search/Field-extraction/m-p/114852#M30393 <P>You could also try this:</P> <PRE><CODE>00\..{3}([^\s]+) </CODE></PRE> <P>To save it as a field extraction just use this:</P> <PRE><CODE>00\..{3}(?P&lt;my_field&gt;[^\s]+) </CODE></PRE> <P>I'm using the 00. as my starting point, ignore 3 characters after that, then begin the capture until the next whitespace.</P> Thu, 29 Jan 2015 14:25:03 GMT https://community.splunk.com/t5/Splunk-Search/Field-extraction/m-p/114852#M30393 aholzer 2015-01-29T14:25:03Z https://community.splunk.com/t5/Splunk-Search/Field-extraction/m-p/114853#M30394 <P>Thanks guys, it worked..I am more comfortable using 00..{3}([^\s]+). this is exactly filling my requirement. </P> Thu, 29 Jan 2015 15:21:56 GMT https://community.splunk.com/t5/Splunk-Search/Field-extraction/m-p/114853#M30394 Navanitha 2015-01-29T15:21:56Z https://community.splunk.com/t5/Splunk-Search/Field-extraction/m-p/114854#M30395 <P>I also want to extract out a field from the samples logs below (all from cisco nodes); the words that come after the key word "command", i want to mark anything afterwards as a field, how do i use rex or regex go about it? thanks</P> <PRE><CODE>Sep 23 16:01:38 X.X.X.X 39412: Sep 23 13:01:37.822: %PARSER-5-CFGLOG_LOGGEDCMD: User:john.adams logged command:switchport port-security Sep 23 14:51:04 X.X.X.X 517733: 9w0d: %PARSER-5-CFGLOG_LOGGEDCMD: User:mary.clare logged command:neighbor X.X.X.X GigabitEthernet0/2.1458 Sep 23 20:04:22 X.X.X.X 4554: Sep 23 17:04:21.239: %PARSER-5-CFGLOG_LOGGEDCMD: User:console logged command:deny </CODE></PRE> Fri, 23 Sep 2016 17:20:53 GMT https://community.splunk.com/t5/Splunk-Search/Field-extraction/m-p/114854#M30395 sepmerit 2016-09-23T17:20:53Z