https://community.splunk.com/t5/Splunk-Search/Extract-Value/m-p/193620#M55769 <P>Thanks </P> <P>the point is "XYZ Inc","Air","0 Days + 01:00:00",1,"0.000 %"<BR /> is just one example of event i have various other events with different text, in that case i dont think hard coding the values in seacrh will work?</P> Wed, 19 Mar 2014 16:08:53 GMT nikhilmehra79 2014-03-19T16:08:53Z https://community.splunk.com/t5/Splunk-Search/Extract-Value/m-p/193613#M55762 <P>I have a search result with following string i just need to extract the value - 0.000 (just before %) from this string below </P> <P>"XYZ Inc","Air","0 Days + 01:00:00",1,"0.000 %"</P> <P>I tried following </P> <P>..| rex field=_raw "(?<NAME>.<EM>),(?<TYPE>.</TYPE></EM>),(?<DTIME>.<EM>),(?<NUMBER_OF_OUT>.</NUMBER_OF_OUT></EM>),(?<AVAIL>.*)" | search Avail != null | table Avail but looks like i need to get more regex</AVAIL></DTIME></NAME></P> Mon, 28 Sep 2020 16:10:16 GMT https://community.splunk.com/t5/Splunk-Search/Extract-Value/m-p/193613#M55762 nikhilmehra79 2020-09-28T16:10:16Z https://community.splunk.com/t5/Splunk-Search/Extract-Value/m-p/193614#M55763 <P>Close... you're missing a few details.</P> <P>Here is your regex (the double quotes are escaped only when you use them in the search box, because the rex command wants the regex contained in double quotes... it isn't regex that requires them escaped, mind you)</P> <P><CODE>your base search | rex field=_raw"^\"(?P&lt;name&gt;.+)\",\"(?P&lt;Type&gt;.+)\",\"(?P&lt;tdtime&gt;.+)\",(?P&lt;number_of_out&gt;\d+),\"(?P&lt;avail&gt;.+)%\""</CODE></P> <P>This site is very helpful for testing:</P> <P><A href="http://www.regexr.com/">http://www.regexr.com/</A></P> Wed, 19 Mar 2014 01:07:58 GMT https://community.splunk.com/t5/Splunk-Search/Extract-Value/m-p/193614#M55763 rsennett_splunk 2014-03-19T01:07:58Z https://community.splunk.com/t5/Splunk-Search/Extract-Value/m-p/193615#M55764 <P>its says error</P> <PRE><CODE>Error in 'rex' command: Invalid argument: '"(?&lt;Type&gt;.*)"' </CODE></PRE> Wed, 19 Mar 2014 05:30:53 GMT https://community.splunk.com/t5/Splunk-Search/Extract-Value/m-p/193615#M55764 nikhilmehra79 2014-03-19T05:30:53Z https://community.splunk.com/t5/Splunk-Search/Extract-Value/m-p/193616#M55765 <P>You may want to just use the field extractor and avoid using the rex command altogether...</P> Wed, 19 Mar 2014 06:22:34 GMT https://community.splunk.com/t5/Splunk-Search/Extract-Value/m-p/193616#M55765 rsennett_splunk 2014-03-19T06:22:34Z https://community.splunk.com/t5/Splunk-Search/Extract-Value/m-p/193617#M55766 <P>you have a example and is it not possible to use regex to do the same?</P> Wed, 19 Mar 2014 06:45:29 GMT https://community.splunk.com/t5/Splunk-Search/Extract-Value/m-p/193617#M55766 nikhilmehra79 2014-03-19T06:45:29Z https://community.splunk.com/t5/Splunk-Search/Extract-Value/m-p/193618#M55767 <P>above regex works for me</P> <UL> <LI>| head 1 | eval _raw="\"XYZ Inc\",\"Air\",\"0 Days + 01:00:00\",1,\"0.000 %\"" | table _raw | rex field=_raw "^\"(?P<NAME>.+)\",\"(?P<TYPE>.+)\",\"(?P<TDTIME>.+)\",(?P<NUMBER_OF_OUT>\d+),\"(?P<AVAIL>.+)%\""</AVAIL></NUMBER_OF_OUT></TDTIME></TYPE></NAME></LI> </UL> Mon, 28 Sep 2020 16:10:47 GMT https://community.splunk.com/t5/Splunk-Search/Extract-Value/m-p/193618#M55767 somesoni2 2020-09-28T16:10:47Z https://community.splunk.com/t5/Splunk-Search/Extract-Value/m-p/193619#M55768 <P>nikhilmehra79, you should copy EXACTLY what somesoni2 has given you and try that. Do not change the regex. It is the same as the one I gave you exactly... and it works. The difference is - this version has kindly given you the entire search. I was lazy. <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span><BR /> I have edited the answer accordingly - including the prefix eval so that the code is independent for those of us who do not have your data in an index.</P> Wed, 19 Mar 2014 14:57:25 GMT https://community.splunk.com/t5/Splunk-Search/Extract-Value/m-p/193619#M55768 rsennett_splunk 2014-03-19T14:57:25Z https://community.splunk.com/t5/Splunk-Search/Extract-Value/m-p/193620#M55769 <P>Thanks </P> <P>the point is "XYZ Inc","Air","0 Days + 01:00:00",1,"0.000 %"<BR /> is just one example of event i have various other events with different text, in that case i dont think hard coding the values in seacrh will work?</P> Wed, 19 Mar 2014 16:08:53 GMT https://community.splunk.com/t5/Splunk-Search/Extract-Value/m-p/193620#M55769 nikhilmehra79 2014-03-19T16:08:53Z https://community.splunk.com/t5/Splunk-Search/Extract-Value/m-p/193621#M55770 <P>remove the hard-coding part and use your own search parameter. This was just the example.</P> Wed, 19 Mar 2014 17:31:29 GMT https://community.splunk.com/t5/Splunk-Search/Extract-Value/m-p/193621#M55770 somesoni2 2014-03-19T17:31:29Z https://community.splunk.com/t5/Splunk-Search/Extract-Value/m-p/193622#M55771 <P>Thanks worked.</P> Wed, 19 Mar 2014 22:31:51 GMT https://community.splunk.com/t5/Splunk-Search/Extract-Value/m-p/193622#M55771 nikhilmehra79 2014-03-19T22:31:51Z https://community.splunk.com/t5/Splunk-Search/Extract-Value/m-p/193623#M55772 <P>Great! Glad we could help.</P> Wed, 19 Mar 2014 22:45:14 GMT https://community.splunk.com/t5/Splunk-Search/Extract-Value/m-p/193623#M55772 rsennett_splunk 2014-03-19T22:45:14Z