https://community.splunk.com/t5/Splunk-Search/Regular-Expression-RegEX-Extracting-Field-from-String-Contains/m-p/197676#M57118 <P>Hi,</P> <P>I'm trying to extract the third comma deliminated column with the string "ABC" in it.</P> <P>example data:</P> <PRE><CODE>QWE ALL,06/12/2014 15:36:14,0.9678687876 QW,06/12/2014 15:36:12,0.5645564664 ERM,06/12/2014 15:36:11,0.3424234242 MJK,06/12/2014 15:36:10,0.2342344342 ABC PLD01234; THIS IS TEST MESSAGE FROM PLD01234 FOR MACHINE ABB231,06/12/2014 15:36:09,0.654354326 ABC PLDS; THIS IS TEST ,06/12/2014 15:36:07,3.564647835 FGH FG456,06/12/2014 15:36:06,0.543574354 </CODE></PRE> <P>I need the expression to extract 0.654354326 and 3.564647835.</P> <P>I was trying <CODE>(^|)ABC |$)[^ \n]* \d+:\d+:\d+,(?P&lt;FIELDNAME&gt;.+)</CODE> but have not had any luck. Any ideas?</P> Thu, 12 Jun 2014 20:54:04 GMT nissanse98 2014-06-12T20:54:04Z https://community.splunk.com/t5/Splunk-Search/Regular-Expression-RegEX-Extracting-Field-from-String-Contains/m-p/197676#M57118 <P>Hi,</P> <P>I'm trying to extract the third comma deliminated column with the string "ABC" in it.</P> <P>example data:</P> <PRE><CODE>QWE ALL,06/12/2014 15:36:14,0.9678687876 QW,06/12/2014 15:36:12,0.5645564664 ERM,06/12/2014 15:36:11,0.3424234242 MJK,06/12/2014 15:36:10,0.2342344342 ABC PLD01234; THIS IS TEST MESSAGE FROM PLD01234 FOR MACHINE ABB231,06/12/2014 15:36:09,0.654354326 ABC PLDS; THIS IS TEST ,06/12/2014 15:36:07,3.564647835 FGH FG456,06/12/2014 15:36:06,0.543574354 </CODE></PRE> <P>I need the expression to extract 0.654354326 and 3.564647835.</P> <P>I was trying <CODE>(^|)ABC |$)[^ \n]* \d+:\d+:\d+,(?P&lt;FIELDNAME&gt;.+)</CODE> but have not had any luck. Any ideas?</P> Thu, 12 Jun 2014 20:54:04 GMT https://community.splunk.com/t5/Splunk-Search/Regular-Expression-RegEX-Extracting-Field-from-String-Contains/m-p/197676#M57118 nissanse98 2014-06-12T20:54:04Z https://community.splunk.com/t5/Splunk-Search/Regular-Expression-RegEX-Extracting-Field-from-String-Contains/m-p/197677#M57119 <P>You could do this</P> <PRE><CODE>.*?\,.*?\,(?P&lt;FIELDNAME&gt;\d+\.\d+) </CODE></PRE> <P>and I think it would work</P> Thu, 12 Jun 2014 21:00:11 GMT https://community.splunk.com/t5/Splunk-Search/Regular-Expression-RegEX-Extracting-Field-from-String-Contains/m-p/197677#M57119 lguinn2 2014-06-12T21:00:11Z https://community.splunk.com/t5/Splunk-Search/Regular-Expression-RegEX-Extracting-Field-from-String-Contains/m-p/197678#M57120 <P>Hi lguinn,</P> <P>Thank you for your response; that helped me out a lot! However, the data I'm attempting to parse has some complications. There are additional fields to the example data above. I need a string that can determine difference between:</P> <P>S,date,0.2343432<BR /> S #random words,date,0.3423423<BR /> SRS,date,0.4353453<BR /> SRS #random words,date,0.453453<BR /> I need an expression that gather the string that starts with "S," OR "S " (space)</P> Sat, 14 Jun 2014 16:04:28 GMT https://community.splunk.com/t5/Splunk-Search/Regular-Expression-RegEX-Extracting-Field-from-String-Contains/m-p/197678#M57120 nissanse98 2014-06-14T16:04:28Z https://community.splunk.com/t5/Splunk-Search/Regular-Expression-RegEX-Extracting-Field-from-String-Contains/m-p/197679#M57121 <P>This works for S with space</P> <P><CODE>(^S ).*?\,.*?\,(?P&lt;FIELDNAME&gt;.+)</CODE></P> <P>This works for S with comma</P> <P><CODE>(^S,).*?\,(?P&lt;FIELDNAME&gt;.+)</CODE></P> <P>Attempts to combine the expression......</P> <P><CODE>((^S ).*?\,.*?\,)|((^S,).*?\,)(?P&lt;FIELDNAME&gt;.+)</CODE></P> <P>Returns: AttributeError: 'NoneType' object has no attribute 'replace'</P> <P>and</P> <P><CODE>((^S ).*?\,.*?\,)(?P&lt;FIELDNAME&gt;.+)|((^S,).*?\,)(?P&lt;FIELDNAME&gt;.+)</CODE></P> <P>Returns:Invalid regex: redefinition of group name u'FIELDNAME' as group 6; was group 3</P> <P>I feel I'm close but am missing something. Appreciate any help! Thank you! <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Sat, 14 Jun 2014 16:04:44 GMT https://community.splunk.com/t5/Splunk-Search/Regular-Expression-RegEX-Extracting-Field-from-String-Contains/m-p/197679#M57121 nissanse98 2014-06-14T16:04:44Z https://community.splunk.com/t5/Splunk-Search/Regular-Expression-RegEX-Extracting-Field-from-String-Contains/m-p/197680#M57122 <P>You can have multiple REGEXes for the same field - Splunk does not require that you combine them. Just do this in <STRONG>props.conf</STRONG></P> <PRE><CODE>[mysourcetype] EXTRACT-e1 = (^S ).*?\,.*?\,(?P&lt;myfield&gt;.+) EXTRACT-e2 = (^S,).*?\,(?P&lt;myfield&gt;.+) </CODE></PRE> <P>Notice that both lines have the <EM>same</EM> field name. You could add a third if you want, etc.</P> <P>I would probably put this in <CODE>$SPLUNK_HOME/etc/apps/search/local/props.conf</CODE></P> Sat, 14 Jun 2014 16:38:12 GMT https://community.splunk.com/t5/Splunk-Search/Regular-Expression-RegEX-Extracting-Field-from-String-Contains/m-p/197680#M57122 lguinn2 2014-06-14T16:38:12Z https://community.splunk.com/t5/Splunk-Search/Regular-Expression-RegEX-Extracting-Field-from-String-Contains/m-p/197681#M57123 <P>Thanks! That helps out a lot!</P> <P>I had to use the props.conf in this directory to work:<BR /> \etc\users\admin\"appname"\local</P> <P>Thanks for the help</P> Sat, 14 Jun 2014 19:19:51 GMT https://community.splunk.com/t5/Splunk-Search/Regular-Expression-RegEX-Extracting-Field-from-String-Contains/m-p/197681#M57123 nissanse98 2014-06-14T19:19:51Z