https://community.splunk.com/t5/Splunk-Search/How-to-write-regex-for-filtering-values-with-in-same-field/m-p/216442#M63511 <P>try this</P> <PRE><CODE>^(?&lt;field&gt;[^:.]*) </CODE></PRE> <P>Bye.<BR /> Giuseppe</P> Fri, 30 Dec 2016 13:11:19 GMT gcusello 2016-12-30T13:11:19Z https://community.splunk.com/t5/Splunk-Search/How-to-write-regex-for-filtering-values-with-in-same-field/m-p/216438#M63507 <P>Hi,</P> <P>I have below values in same field , i have to take the values(characters) before : .If the first value is ip address then full ip have to taken.<BR /> for example ,</P> <P>10.102.208.108:sqlexpress( need full ip address from here)<BR /> ALATDEV1:OMGEO(Need ALATDEV1 from here)<BR /> SWSYBQ21.dtcc.com:1025 (Need SWSYBQ21 from here )<BR /> SWTEPQ0004.corp.dtcc.com:172.21.168.62:172.21.168.62:0:ServiceList.WebInspect Data Server (Need SWTEPQ0004)</P> <P>Please suggest me .</P> Fri, 30 Dec 2016 11:09:20 GMT https://community.splunk.com/t5/Splunk-Search/How-to-write-regex-for-filtering-values-with-in-same-field/m-p/216438#M63507 umsundar2015 2016-12-30T11:09:20Z https://community.splunk.com/t5/Splunk-Search/How-to-write-regex-for-filtering-values-with-in-same-field/m-p/216439#M63508 <P>Hi umsundar2015,<BR /> Try something like this</P> <PRE><CODE>^(?&lt;field&gt;[^:]*) </CODE></PRE> <P>Bye.<BR /> Giuseppe</P> Fri, 30 Dec 2016 11:59:12 GMT https://community.splunk.com/t5/Splunk-Search/How-to-write-regex-for-filtering-values-with-in-same-field/m-p/216439#M63508 gcusello 2016-12-30T11:59:12Z https://community.splunk.com/t5/Splunk-Search/How-to-write-regex-for-filtering-values-with-in-same-field/m-p/216440#M63509 <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/2285iBA0689F49A44B18E/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span>Hi @umsundar2015,<BR /> Will it be possible for you to give complete event as example i.e. whether there is a pattern before and pattern after the field you are trying to extract?</P> <P>If not can you try Interactive Field Extraction to let Splunk generate regular expression for the required field extraction. In your test machine you can add some sample logs and use Extract New Fields option.</P> <P>Refer to attached screenshot for a sample regular expression based IFX.</P> Fri, 30 Dec 2016 12:19:01 GMT https://community.splunk.com/t5/Splunk-Search/How-to-write-regex-for-filtering-values-with-in-same-field/m-p/216440#M63509 niketn 2016-12-30T12:19:01Z https://community.splunk.com/t5/Splunk-Search/How-to-write-regex-for-filtering-values-with-in-same-field/m-p/216441#M63510 <P>Hi,</P> <P>Thank you for your rex.</P> <P>But still for this CVSQLP0001.corp.reds.com:MSSQLSERVER , i am getting CVSQLP0001.corp.reds.com</P> <P>My requirement is to get CVSQLP0001 for the above scenario too.</P> <P>Pls advice me .</P> Fri, 30 Dec 2016 12:53:32 GMT https://community.splunk.com/t5/Splunk-Search/How-to-write-regex-for-filtering-values-with-in-same-field/m-p/216441#M63510 umsundar2015 2016-12-30T12:53:32Z https://community.splunk.com/t5/Splunk-Search/How-to-write-regex-for-filtering-values-with-in-same-field/m-p/216442#M63511 <P>try this</P> <PRE><CODE>^(?&lt;field&gt;[^:.]*) </CODE></PRE> <P>Bye.<BR /> Giuseppe</P> Fri, 30 Dec 2016 13:11:19 GMT https://community.splunk.com/t5/Splunk-Search/How-to-write-regex-for-filtering-values-with-in-same-field/m-p/216442#M63511 gcusello 2016-12-30T13:11:19Z https://community.splunk.com/t5/Splunk-Search/How-to-write-regex-for-filtering-values-with-in-same-field/m-p/216443#M63512 <P>now the ip address is not proper , iam getting 10 alone for 10.102.208.108:SQLEXPRESS,<BR /> Pls suggest</P> Fri, 30 Dec 2016 13:46:01 GMT https://community.splunk.com/t5/Splunk-Search/How-to-write-regex-for-filtering-values-with-in-same-field/m-p/216443#M63512 umsundar2015 2016-12-30T13:46:01Z https://community.splunk.com/t5/Splunk-Search/How-to-write-regex-for-filtering-values-with-in-same-field/m-p/216444#M63513 <P>try this</P> <PRE><CODE>^(?&lt;field&gt;((\d+\.\d+\.\d+\.\d+)|(\w+))*) </CODE></PRE> <P>Bye.<BR /> Giuseppe</P> Fri, 30 Dec 2016 14:14:52 GMT https://community.splunk.com/t5/Splunk-Search/How-to-write-regex-for-filtering-values-with-in-same-field/m-p/216444#M63513 gcusello 2016-12-30T14:14:52Z https://community.splunk.com/t5/Splunk-Search/How-to-write-regex-for-filtering-values-with-in-same-field/m-p/216445#M63514 <P>This should work for all the cases if say the values are in field called <CODE>testField</CODE>:</P> <PRE><CODE>your query to return testField | rex field=testField "^(?&lt;myField&gt;(([\d\.]+)|(\w+)))[:.]" | table myField </CODE></PRE> <P><A href="https://regex101.com/r/k37Bwu/1">See extraction here.</A><BR /> You can also replace the last capturing group <CODE>[:.]</CODE> to include comma if required <CODE>[:.,]</CODE></P> Fri, 30 Dec 2016 23:55:10 GMT https://community.splunk.com/t5/Splunk-Search/How-to-write-regex-for-filtering-values-with-in-same-field/m-p/216445#M63514 gokadroid 2016-12-30T23:55:10Z https://community.splunk.com/t5/Splunk-Search/How-to-write-regex-for-filtering-values-with-in-same-field/m-p/216446#M63515 <P>hi gokandroid,</P> <P>Thank you and this works perfectly ..</P> Mon, 02 Jan 2017 11:07:41 GMT https://community.splunk.com/t5/Splunk-Search/How-to-write-regex-for-filtering-values-with-in-same-field/m-p/216446#M63515 umsundar2015 2017-01-02T11:07:41Z