topic Re: What is the regular expression to extract &quot;a1234567&quot; from my event? in Splunk Search https://community.splunk.com/t5/Splunk-Search/What-is-the-regular-expression-to-extract-quot-a1234567-quot/m-p/286470#M86749 <P>I would consider using the <CODE>split</CODE> and <CODE>mvindex</CODE> commands for this, assuming INDV is being extracted already:</P> <PRE><CODE>... | eval my_field=mvindex(split(INDV,"|"),2) </CODE></PRE> <P>With regex:</P> <PRE><CODE>... | rex field=INDV "RSPAR\|(?[^|]+)" </CODE></PRE> <P>But that really depends on the consistency of the data around your target extraction.</P> Mon, 06 Feb 2017 15:12:55 GMT twinspop 2017-02-06T15:12:55Z What is the regular expression to extract "a1234567" from my event? https://community.splunk.com/t5/Splunk-Search/What-is-the-regular-expression-to-extract-quot-a1234567-quot/m-p/286468#M86747 <P>Please help me with regular expression<BR /> i want to extract <CODE>a1234567</CODE></P> <PRE><CODE>"INDV=1234566|RSPAR|a1234567|RSPAR" </CODE></PRE> Mon, 06 Feb 2017 15:03:50 GMT https://community.splunk.com/t5/Splunk-Search/What-is-the-regular-expression-to-extract-quot-a1234567-quot/m-p/286468#M86747 sravankaripe 2017-02-06T15:03:50Z Re: What is the regular expression to extract "a1234567" from my event? https://community.splunk.com/t5/Splunk-Search/What-is-the-regular-expression-to-extract-quot-a1234567-quot/m-p/286469#M86748 <P>hi sravankaripe,<BR /> you can use it on row events</P> <PRE><CODE>\d+\|\w+\|(?&lt;your_field&gt;[^\|]*) </CODE></PRE> <P>or using a rex command</P> <PRE><CODE>| rex field=INDV "\d+\|\w+\|(?&lt;your_field&gt;[^\|]*)" </CODE></PRE> <P>You can see it at <A href="https://regex101.com/r/Ve484u/1">https://regex101.com/r/Ve484u/1</A></P> <P>Bye.<BR /> Giuseppe</P> Mon, 06 Feb 2017 15:09:29 GMT https://community.splunk.com/t5/Splunk-Search/What-is-the-regular-expression-to-extract-quot-a1234567-quot/m-p/286469#M86748 gcusello 2017-02-06T15:09:29Z Re: What is the regular expression to extract "a1234567" from my event? https://community.splunk.com/t5/Splunk-Search/What-is-the-regular-expression-to-extract-quot-a1234567-quot/m-p/286470#M86749 <P>I would consider using the <CODE>split</CODE> and <CODE>mvindex</CODE> commands for this, assuming INDV is being extracted already:</P> <PRE><CODE>... | eval my_field=mvindex(split(INDV,"|"),2) </CODE></PRE> <P>With regex:</P> <PRE><CODE>... | rex field=INDV "RSPAR\|(?[^|]+)" </CODE></PRE> <P>But that really depends on the consistency of the data around your target extraction.</P> Mon, 06 Feb 2017 15:12:55 GMT https://community.splunk.com/t5/Splunk-Search/What-is-the-regular-expression-to-extract-quot-a1234567-quot/m-p/286470#M86749 twinspop 2017-02-06T15:12:55Z Re: What is the regular expression to extract "a1234567" from my event? https://community.splunk.com/t5/Splunk-Search/What-is-the-regular-expression-to-extract-quot-a1234567-quot/m-p/286471#M86750 <P>| rex field=_raw "\d+|\w+|(?[^|]*)" <BR /> this worked for me Thanks</P> Mon, 06 Feb 2017 15:12:59 GMT https://community.splunk.com/t5/Splunk-Search/What-is-the-regular-expression-to-extract-quot-a1234567-quot/m-p/286471#M86750 sravankaripe 2017-02-06T15:12:59Z