https://community.splunk.com/t5/Splunk-Search/How-do-I-write-the-regex-to-extract-the-Application-Name-from-my/m-p/247281#M73761 <P>Try this</P> <PRE><CODE>... | rex "C:\/W(INDOWS|indows)(?&lt;appname&gt;[^,]+)" | table appname </CODE></PRE> Fri, 08 Jul 2016 17:04:37 GMT sundareshr 2016-07-08T17:04:37Z https://community.splunk.com/t5/Splunk-Search/How-do-I-write-the-regex-to-extract-the-Application-Name-from-my/m-p/247280#M73760 <P>I have the following results from my search. I am trying to extract the Application Name from the raw log using the following regex, but it is not working. Any suggestions?</P> <PRE><CODE>index=symantec PAC-20.2 user=SYSTEM | rex field=_raw ",C\:\/WINDOWS\/ (?.*) + ,0," </CODE></PRE> <P>Sample data:</P> <PRE><CODE>Jul 8 10:44:06 USALSEPP1 SymantecServer: USGE58122D,Blocked,Prevent modification of system files - Caller MD5=e13f5091775bc35a844faff0de246016,File Write,Begin: 2016-07-08 10:42:51,End: 2016-07-08 10:42:51,Rule: [PAC-20.2] - Prevent modification of system files | [PAC-20.2.1] Prevent modification of system files,1660,C:/Windows/System32/spoolsv.exe,0,No Module Name,C:/Windows/System32/spool/SERVERS/USGEPRINTP01.perrigo.com,User: SYSTEM,Domain: LPCDOMAIN1,Action Type: ,File size (bytes): 0,Device ID: IDE\DiskST320LT020-9YG142_______________________0003LVM1\4&amp;4a6dd28&amp;0&amp;0.0.0 Jul 8 10:35:26 USALSEPP1 SymantecServer: USGE58190D,Blocked,Prevent modification of system files - Caller MD5=5879d691e842574a20fe63817cb76df9,File Write,Begin: 2016-07-08 08:03:27,End: 2016-07-08 08:03:27,Rule: [PAC-20.2] - Prevent modification of system files | [PAC-20.2.1] Prevent modification of system files,5144,C:/WINDOWS/system32/msiexec.exe,0,No Module Name,C:/WINDOWS/CCM/AppVHandler.dll,User: SYSTEM,Domain: LPCDOMAIN1,Action Type: ,File size (bytes): 347320,Device ID: IDE\DiskHGST_HTS545032A7E380____________________GGBZBF40\4&amp;4a6dd28&amp;0&amp;0.0.0 </CODE></PRE> Fri, 08 Jul 2016 15:31:29 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-write-the-regex-to-extract-the-Application-Name-from-my/m-p/247280#M73760 pdumblet 2016-07-08T15:31:29Z https://community.splunk.com/t5/Splunk-Search/How-do-I-write-the-regex-to-extract-the-Application-Name-from-my/m-p/247281#M73761 <P>Try this</P> <PRE><CODE>... | rex "C:\/W(INDOWS|indows)(?&lt;appname&gt;[^,]+)" | table appname </CODE></PRE> Fri, 08 Jul 2016 17:04:37 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-write-the-regex-to-extract-the-Application-Name-from-my/m-p/247281#M73761 sundareshr 2016-07-08T17:04:37Z https://community.splunk.com/t5/Splunk-Search/How-do-I-write-the-regex-to-extract-the-Application-Name-from-my/m-p/247282#M73762 <P>Thank you Sundareshr</P> Fri, 08 Jul 2016 17:09:17 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-write-the-regex-to-extract-the-Application-Name-from-my/m-p/247282#M73762 pdumblet 2016-07-08T17:09:17Z