https://community.splunk.com/t5/Splunk-Search/How-do-I-extract-these-two-fields-from-a-string-in-my-sample/m-p/215027#M63040 <P>Hello !</P> <P>thank you, all seems to work.</P> Wed, 27 Apr 2016 09:00:39 GMT fbertoletti 2016-04-27T09:00:39Z https://community.splunk.com/t5/Splunk-Search/How-do-I-extract-these-two-fields-from-a-string-in-my-sample/m-p/215025#M63038 <P>Hello,</P> <P>I have this logs :</P> <PRE><CODE>Apr 26 12:49:09 10.30.245.203 Apr 26 14:49:12 MachineOne info tmm1[11869]: Rule /User_Agent &lt;HTTP_RESPONSE&gt;: src_ip=112.43.9.4,vip=110.12.8.8,http_method=GET,http_host=www.xxxx.it:443,http_uri=/files/visio.jpg,http_url=www.xxx.it:443/files/x/x/x/x/x.jpg,http_version=1.1,http_user_agent="Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.112 Safari/537.36",http_content_type=,http_referrer="https://x/",req_start_time=2016/04/26 14:49:12,cookie="_x",user=,virtual_server="/x x x",bytes_in=0,res_start_time=2016/04/26 14:49:12,node=x ,node_port=80,http_status=200,req_elapsed_time=5,bytes_out=13290 </CODE></PRE> <P>I would like to only extract this part <CODE>Windows NT 6.1</CODE> and <CODE>Chrome/49.0.2623.112</CODE> in the <STRONG>http_user_agent</STRONG> field.</P> <P>I also have another log with the values<CODE>Linux</CODE> and <CODE>Chrome/49.0.2623.105</CODE></P> <PRE><CODE>Apr 26 13:10:16 10.30.245.203 Apr 26 15:10:19 x info tmm[11869]: Rule /User_Agent &lt;HTTP_RESPONSE&gt;: src_ip=x,vip=x8,http_method=GET,http_host=x,http_uri=x,http_url=x,http_version=1.1,http_user_agent="Mozilla/5.0 (**Linux**; Android 4.4.2; LG-D213 Build/KOT49I.A1407976057) AppleWebKit/537.36 (KHTML, like Gecko) **Chrome/49.0.2623.105** Mobile Safari/537.36",http_content_type=,http_referrer="x",req_start_time=2016/04/26 15:10:19,cookie="x",user=,vir </CODE></PRE> <P>I tried to use regex, but without the expected result.</P> <P>Objective is to have table with:</P> <PRE><CODE>OS Nav Windows NT 6.1 Chrome/49.0.2623.112 Linux Chrome/49.0.2623.10 </CODE></PRE> <P>thanks for your help <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Tue, 29 Sep 2020 09:29:48 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-extract-these-two-fields-from-a-string-in-my-sample/m-p/215025#M63038 fbertoletti 2020-09-29T09:29:48Z https://community.splunk.com/t5/Splunk-Search/How-do-I-extract-these-two-fields-from-a-string-in-my-sample/m-p/215026#M63039 <P>This worked for me using your sample data. You can check other strings at regex101.com</P> <PRE><CODE>... | rex field=http_user_agent "\((?P&lt;OS&gt;[^;\*]+);.*\)\s(?P&lt;Nav&gt;[^ \*]+)" | ... </CODE></PRE> Tue, 26 Apr 2016 16:59:15 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-extract-these-two-fields-from-a-string-in-my-sample/m-p/215026#M63039 richgalloway 2016-04-26T16:59:15Z https://community.splunk.com/t5/Splunk-Search/How-do-I-extract-these-two-fields-from-a-string-in-my-sample/m-p/215027#M63040 <P>Hello !</P> <P>thank you, all seems to work.</P> Wed, 27 Apr 2016 09:00:39 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-extract-these-two-fields-from-a-string-in-my-sample/m-p/215027#M63040 fbertoletti 2016-04-27T09:00:39Z