https://community.splunk.com/t5/Splunk-Search/Field-Extraction/m-p/136990#M37506 <P>Thank you!!</P> Thu, 10 Jul 2014 16:14:20 GMT tmarlette 2014-07-10T16:14:20Z https://community.splunk.com/t5/Splunk-Search/Field-Extraction/m-p/136982#M37498 <P>I have a some data I am attempting to extract and then do lookups on. I am attempting to extract the FID number, which is effectivley - "FID":FID#:property = &lt; value &gt;</P> <P>Take a look at my entry:</P> <PRE><CODE>FID:1022:5=18749,109 FID:1025:5=18752,109 FID:1029:8=0:0:0 FID:1066:5=0,101 FID:1179:1=1 FID:2000:2=1 FID:3001:6= FID:6335:6=US4592001014 FID:6360:6=2005973 FID:6605:1=1.01755e+013 FID:6630:1=8.26677e-005 FID:7012:6=459200101 FID:8107:1=0 FID:17476:2=0 FID:17483:2=-1 FID:20001:6=ADdomain FID:20003:6=domain1 FID:20008:6=user1 FID:20052:6=DEP01 </CODE></PRE> <P>I attempted to use this REGEX extraction, but splunk doesn't recognize it: <CODE>FID:(?&lt;FID&gt;\d+):\d+</CODE></P> <P>I'm guess that either RegEx changed, or splunk changed somehow and I missed it, or i'm fat fingering something? </P> <P>Thank you! </P> Thu, 10 Jul 2014 13:52:49 GMT https://community.splunk.com/t5/Splunk-Search/Field-Extraction/m-p/136982#M37498 tmarlette 2014-07-10T13:52:49Z https://community.splunk.com/t5/Splunk-Search/Field-Extraction/m-p/136983#M37499 <P>This is one log entry or 4? In both case, you need to extract all FID#?</P> Thu, 10 Jul 2014 14:08:56 GMT https://community.splunk.com/t5/Splunk-Search/Field-Extraction/m-p/136983#M37499 somesoni2 2014-07-10T14:08:56Z https://community.splunk.com/t5/Splunk-Search/Field-Extraction/m-p/136984#M37500 <P>This is a snippet of one log entry, and I would need to extract ALL FID#'s from all log entries.</P> Thu, 10 Jul 2014 14:12:46 GMT https://community.splunk.com/t5/Splunk-Search/Field-Extraction/m-p/136984#M37500 tmarlette 2014-07-10T14:12:46Z https://community.splunk.com/t5/Splunk-Search/Field-Extraction/m-p/136985#M37501 <P>So you want to get the values 1022, 1025, 1029, etc?</P> Thu, 10 Jul 2014 14:15:17 GMT https://community.splunk.com/t5/Splunk-Search/Field-Extraction/m-p/136985#M37501 richgalloway 2014-07-10T14:15:17Z https://community.splunk.com/t5/Splunk-Search/Field-Extraction/m-p/136986#M37502 <P>Let's take the first part of the log entry:</P> <P>FID:1022:5=18749</P> <P>In this example, the number "1022" is what i'm looking to extract.</P> Thu, 10 Jul 2014 14:22:27 GMT https://community.splunk.com/t5/Splunk-Search/Field-Extraction/m-p/136986#M37502 tmarlette 2014-07-10T14:22:27Z https://community.splunk.com/t5/Splunk-Search/Field-Extraction/m-p/136987#M37503 <P>This works for me (give a multivalued field will all FID#)</P> <PRE><CODE>Your base search | rex max_match=0 "FID:(?&lt;FID&gt;\d+):\d+=" </CODE></PRE> Thu, 10 Jul 2014 14:36:56 GMT https://community.splunk.com/t5/Splunk-Search/Field-Extraction/m-p/136987#M37503 somesoni2 2014-07-10T14:36:56Z https://community.splunk.com/t5/Splunk-Search/Field-Extraction/m-p/136988#M37504 <P>Thank you!!! This works very well! is there a way to do this in props.conf or transforms?</P> Thu, 10 Jul 2014 14:47:50 GMT https://community.splunk.com/t5/Splunk-Search/Field-Extraction/m-p/136988#M37504 tmarlette 2014-07-10T14:47:50Z https://community.splunk.com/t5/Splunk-Search/Field-Extraction/m-p/136989#M37505 <P>Yes sir. See this link.<BR /> <A href="http://answers.splunk.com/answers/11777/field-extraction-into-multivalue-field">http://answers.splunk.com/answers/11777/field-extraction-into-multivalue-field</A></P> Thu, 10 Jul 2014 15:10:26 GMT https://community.splunk.com/t5/Splunk-Search/Field-Extraction/m-p/136989#M37505 somesoni2 2014-07-10T15:10:26Z https://community.splunk.com/t5/Splunk-Search/Field-Extraction/m-p/136990#M37506 <P>Thank you!!</P> Thu, 10 Jul 2014 16:14:20 GMT https://community.splunk.com/t5/Splunk-Search/Field-Extraction/m-p/136990#M37506 tmarlette 2014-07-10T16:14:20Z