https://community.splunk.com/t5/Splunk-Search/rex-command-to-extract-fields-from-field-Message-Document-345/m-p/165082#M46888 <P>I am using the first one.It worked perfectly.<BR /> Thank you very much and appreciate your help. </P> Sun, 26 Apr 2015 04:06:37 GMT sabithanitg 2015-04-26T04:06:37Z https://community.splunk.com/t5/Splunk-Search/rex-command-to-extract-fields-from-field-Message-Document-345/m-p/165076#M46882 <P>rex command to extract fields from Message=Document 345, Microsoft Word Text <STRONG>owned by</STRONG> first.last <STRONG>on</STRONG> abc1234 <STRONG>was</STRONG> some text <STRONG>on</STRONG> some text.............<BR /> Marked with bold text are common in all the values.</P> <P>result of field names should look like this.</P> <P>DocumentNum=Document 345<BR /> DocumentType = Microsoft Word Text <BR /> username=first.last<BR /> device=abc1234<BR /> location=some text</P> <P>I have started with following rex command, but I cannot look for the text till "owned by" and for user name "owned by" to "on" and so on</P> <P>| rex Message="(?[^\,]<EM>)\,(?[(</EM>)?:owned]*)" | table DocumentNum DocumentType</P> <P>my result is looking like this: DocumentNum = Document 345<BR /> DocumentType = Micro </P> Fri, 24 Apr 2015 13:54:30 GMT https://community.splunk.com/t5/Splunk-Search/rex-command-to-extract-fields-from-field-Message-Document-345/m-p/165076#M46882 sabithanitg 2015-04-24T13:54:30Z https://community.splunk.com/t5/Splunk-Search/rex-command-to-extract-fields-from-field-Message-Document-345/m-p/165077#M46883 <P>Hello! Here you go</P> <PRE><CODE>|rex "^Message=(?P&lt;DocumentNum&gt;[^,]+),\s+(?P&lt;DocumentType&gt;\w+\s+\w+\s+\w+)(?:[^ \n]* ){3}(?P&lt;username&gt;[^ ]+) on (?P&lt;device&gt;[a-f0-9]+) was (?P&lt;location&gt;.+)"|table DocumentNum,DocumentType, username, device, location </CODE></PRE> Fri, 24 Apr 2015 14:28:42 GMT https://community.splunk.com/t5/Splunk-Search/rex-command-to-extract-fields-from-field-Message-Document-345/m-p/165077#M46883 stephanefotso 2015-04-24T14:28:42Z https://community.splunk.com/t5/Splunk-Search/rex-command-to-extract-fields-from-field-Message-Document-345/m-p/165078#M46884 <P>Thanks for the answer Stephane, This is not showing up any value for these fields. Is there any other method to achieve this?</P> Fri, 24 Apr 2015 14:53:20 GMT https://community.splunk.com/t5/Splunk-Search/rex-command-to-extract-fields-from-field-Message-Document-345/m-p/165078#M46884 sabithanitg 2015-04-24T14:53:20Z https://community.splunk.com/t5/Splunk-Search/rex-command-to-extract-fields-from-field-Message-Document-345/m-p/165079#M46885 <P>try this:</P> <PRE><CODE> ..........|rex "^Message=(?P&lt;DocumentNum&gt;[^,]+),\s+(?P&lt;DocumentType&gt;\w+\s+\w+\s+\w+)\sowned\sby\s(?P&lt;username&gt;[^ ]+)\son\s(?P&lt;device&gt;[a-f0-9]+)\swas\s(?P&lt;location&gt;.+)"|table DocumentNum,DocumentType, username, device, location </CODE></PRE> <P>And if you are working with a <STRONG>csv file</STRONG>, means <STRONG>Message</STRONG> is a field in your csv, try this:</P> <PRE><CODE> ..........|rex field=Message "(?P&lt;DocumentNum&gt;[^,]+),\s+(?P&lt;DocumentType&gt;\w+\s+\w+\s+\w+)\sowned\sby\s(?P&lt;username&gt;[^ ]+)\son\s(?P&lt;device&gt;[a-f0-9]+)\swas\s(?P&lt;location&gt;.+)"|table DocumentNum,DocumentType, username, device, location </CODE></PRE> <P>if not working also, please let me see the entire first line of your events.</P> Fri, 24 Apr 2015 15:04:29 GMT https://community.splunk.com/t5/Splunk-Search/rex-command-to-extract-fields-from-field-Message-Document-345/m-p/165079#M46885 stephanefotso 2015-04-24T15:04:29Z https://community.splunk.com/t5/Splunk-Search/rex-command-to-extract-fields-from-field-Message-Document-345/m-p/165080#M46886 <P>Thanks stephane, With few changes it is working to extract for few values not all of them.<BR /> Is there any possibility of extracting all.</P> <P>For example DocumentType field value contains as below similarly for Location <BR /> Microsoft Outlook - Memo Style,<BR /> 11-02-099.pdf,<BR /> <A href="https://h44444.www3.hp.com/HPCSN/EtFOnline/fff_ff_notes">https://h44444.www3.hp.com/HPCSN/EtFOnline/fff_ff_notes</A></P> Fri, 24 Apr 2015 17:34:47 GMT https://community.splunk.com/t5/Splunk-Search/rex-command-to-extract-fields-from-field-Message-Document-345/m-p/165080#M46886 sabithanitg 2015-04-24T17:34:47Z https://community.splunk.com/t5/Splunk-Search/rex-command-to-extract-fields-from-field-Message-Document-345/m-p/165081#M46887 <P>yes of course! there are many possibilities to extract what you want. Please which of the above queries worked?<BR /> If it is the first one, here you go now:</P> <PRE><CODE>|rex "^Message=(?P&lt;DocumentNum&gt;[^,]+),(?P&lt;DocumentType&gt;[^\n]*)owned\sby\s(?P&lt;username&gt;[^ ]+)\s+on\s+(?P&lt;device&gt;[a-f0-9]+)\s+was\s+(?P&lt;location&gt;[^\n]*)"|table DocumentNum DocumentType, username ,device, location </CODE></PRE> <P>if it is the second one, here you go</P> <PRE><CODE>|rex field=Message "(?P&lt;DocumentNum&gt;[^,]+),(?P&lt;DocumentType&gt;[^\n]*)owned\sby\s(?P&lt;username&gt;[^ ]+)\s+on\s+(?P&lt;device&gt;[a-f0-9]+)\s+was\s+(?P&lt;location&gt;[^\n]*)"|table DocumentNum DocumentType, username ,device, location </CODE></PRE> <P>Hope it may help now.</P> Fri, 24 Apr 2015 20:20:51 GMT https://community.splunk.com/t5/Splunk-Search/rex-command-to-extract-fields-from-field-Message-Document-345/m-p/165081#M46887 stephanefotso 2015-04-24T20:20:51Z https://community.splunk.com/t5/Splunk-Search/rex-command-to-extract-fields-from-field-Message-Document-345/m-p/165082#M46888 <P>I am using the first one.It worked perfectly.<BR /> Thank you very much and appreciate your help. </P> Sun, 26 Apr 2015 04:06:37 GMT https://community.splunk.com/t5/Splunk-Search/rex-command-to-extract-fields-from-field-Message-Document-345/m-p/165082#M46888 sabithanitg 2015-04-26T04:06:37Z