https://community.splunk.com/t5/Splunk-Search/How-to-write-regex-for-search-or-index-time-field-extractions/m-p/181598#M52332 <P>Im trying to get search time field extractions (or index time) on the following log format:</P> <P>2014-06-11T09:32:45.545-07:00 - INFO<BR /> RequestType:SFPR<BR /> UniqueRequestGUID:0e160f29-d75b-49dd-b966-4d93678d0590<BR /> SessionGUID:826e14ab-df0f-41c8-b874-13d17dd0b655<BR /> ProductType:PACKAGE<BR /> TPID:6<BR /> EPID:0<BR /> PGPR_PIID:f4669df2-e9af-429c-8b9d-b1b4aa136d9e-0<BR /> PGPR_ConnOpen:1<BR /> PGPR_Ser:2<BR /> PGPR_RequestDuration:25<BR /> PGPR_Des:2<BR /> RequestDuration:30</P> Mon, 28 Sep 2020 17:20:20 GMT smudge797 2020-09-28T17:20:20Z https://community.splunk.com/t5/Splunk-Search/How-to-write-regex-for-search-or-index-time-field-extractions/m-p/181598#M52332 <P>Im trying to get search time field extractions (or index time) on the following log format:</P> <P>2014-06-11T09:32:45.545-07:00 - INFO<BR /> RequestType:SFPR<BR /> UniqueRequestGUID:0e160f29-d75b-49dd-b966-4d93678d0590<BR /> SessionGUID:826e14ab-df0f-41c8-b874-13d17dd0b655<BR /> ProductType:PACKAGE<BR /> TPID:6<BR /> EPID:0<BR /> PGPR_PIID:f4669df2-e9af-429c-8b9d-b1b4aa136d9e-0<BR /> PGPR_ConnOpen:1<BR /> PGPR_Ser:2<BR /> PGPR_RequestDuration:25<BR /> PGPR_Des:2<BR /> RequestDuration:30</P> Mon, 28 Sep 2020 17:20:20 GMT https://community.splunk.com/t5/Splunk-Search/How-to-write-regex-for-search-or-index-time-field-extractions/m-p/181598#M52332 smudge797 2020-09-28T17:20:20Z https://community.splunk.com/t5/Splunk-Search/How-to-write-regex-for-search-or-index-time-field-extractions/m-p/181599#M52333 <P>Seems like fairly straightforward key-value extraction, try this:</P> <P>props.conf</P> <PRE><CODE>[your_sourcetype] REPORT-kv = key_colon_value </CODE></PRE> <P>transforms.conf</P> <PRE><CODE>[key_colon_value] REGEX = ^(?&lt;_KEY_1&gt;\w+):(?&lt;_VAL_1&gt;.*)$ </CODE></PRE> <P>Make sure my use of start- and end-of-line anchors works correctly without specifying any flags such as <CODE>(?m)</CODE> or <CODE>(?s)</CODE>, I frequently mix those up <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Thu, 14 Aug 2014 13:33:45 GMT https://community.splunk.com/t5/Splunk-Search/How-to-write-regex-for-search-or-index-time-field-extractions/m-p/181599#M52333 martin_mueller 2014-08-14T13:33:45Z https://community.splunk.com/t5/Splunk-Search/How-to-write-regex-for-search-or-index-time-field-extractions/m-p/181600#M52334 <P>Thanks Martin..<BR /> interesting, it does not appear to be working. Can you expand on the anchor points?<BR /> Maybe i am mixing them up!</P> Thu, 14 Aug 2014 15:35:50 GMT https://community.splunk.com/t5/Splunk-Search/How-to-write-regex-for-search-or-index-time-field-extractions/m-p/181600#M52334 smudge797 2014-08-14T15:35:50Z https://community.splunk.com/t5/Splunk-Search/How-to-write-regex-for-search-or-index-time-field-extractions/m-p/181601#M52335 <P>Do i not need something extra to have the : appear as a =<BR /> So ProductType:PACKAGE would be ProductType=PACKAGE</P> Thu, 14 Aug 2014 15:41:50 GMT https://community.splunk.com/t5/Splunk-Search/How-to-write-regex-for-search-or-index-time-field-extractions/m-p/181601#M52335 smudge797 2014-08-14T15:41:50Z https://community.splunk.com/t5/Splunk-Search/How-to-write-regex-for-search-or-index-time-field-extractions/m-p/181602#M52336 <P>Try this as transform REGEX.</P> <P>\s*(?&lt;<EM>KEY_1&gt;[a-zA-Z\</EM>]+):(?&lt;_VAL_1&gt;[^\s]*)</P> Mon, 28 Sep 2020 17:20:29 GMT https://community.splunk.com/t5/Splunk-Search/How-to-write-regex-for-search-or-index-time-field-extractions/m-p/181602#M52336 somesoni2 2020-09-28T17:20:29Z