https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-field-that-appears-in-3-different-formats/m-p/285129#M86240 <P>Hi Bagaboo,</P> <P>based on the examples, try this regex as your field extraction:</P> <PRE><CODE>[Aa]ctivity[iIdD]+[\s:_]+(?&lt;ActivityID&gt;)[^$]+ </CODE></PRE> <P>you can verify it first in a search:</P> <PRE><CODE>your base search here | rex "[Aa]ctivity[iIdD]+[\s:_]+(?&lt;ActivityID&gt;)[^$]+" | do more stuff </CODE></PRE> <P>Hope this helps ...</P> <P>cheers, MuS</P> Sun, 20 Dec 2015 21:08:42 GMT MuS 2015-12-20T21:08:42Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-field-that-appears-in-3-different-formats/m-p/285128#M86239 <P>Hello, </P> <P>I am using Splunk Light to create a proof of concept with Splunk. </P> <P>I have imported a .csv file. One of the columns has a "message". <BR /> The message sometimes contains an ActivityID. <BR /> The ActivityID has three inconsistent shapes:<BR /> 1. ActivityID: 00000000-0000-0000-0000-000000000000<BR /> 2. ActivityID 00000000-0000-0000-0000-000000000000<BR /> 3. activityid_00000000-0000-0000-0000-000000000000</P> <P>I want to extract the field based on the above. </P> <P>I succeeded to extract the first one. When I add the second one, it fails to do so and throws an error. <BR /> I tried to create two different definitions with the same name. The seconds one fails because ActivityID already exists. </P> <P>What are your recommendations?</P> Sun, 20 Dec 2015 19:52:05 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-field-that-appears-in-3-different-formats/m-p/285128#M86239 Bagaboo 2015-12-20T19:52:05Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-field-that-appears-in-3-different-formats/m-p/285129#M86240 <P>Hi Bagaboo,</P> <P>based on the examples, try this regex as your field extraction:</P> <PRE><CODE>[Aa]ctivity[iIdD]+[\s:_]+(?&lt;ActivityID&gt;)[^$]+ </CODE></PRE> <P>you can verify it first in a search:</P> <PRE><CODE>your base search here | rex "[Aa]ctivity[iIdD]+[\s:_]+(?&lt;ActivityID&gt;)[^$]+" | do more stuff </CODE></PRE> <P>Hope this helps ...</P> <P>cheers, MuS</P> Sun, 20 Dec 2015 21:08:42 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-field-that-appears-in-3-different-formats/m-p/285129#M86240 MuS 2015-12-20T21:08:42Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-field-that-appears-in-3-different-formats/m-p/285130#M86241 <P>Thank you MuS. Based on your input i tried...</P> <PRE><CODE>[Aa]ctivity[iIdD]+[\s:_]+(?P&lt;ActivityID&gt;[^,]+) </CODE></PRE> <P>...and it worked like a charm. It is extracting all three field variants and getting me the guids flawlessly. Although i got different results when i tried it in the search. </P> Mon, 21 Dec 2015 17:43:15 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-field-that-appears-in-3-different-formats/m-p/285130#M86241 Bagaboo 2015-12-21T17:43:15Z