https://community.splunk.com/t5/Splunk-Search/Regex-to-extract-fields-with-different-format/m-p/291486#M88049 <P>Hi nuaraujo,<BR /> try this:</P> <PRE><CODE>| rex field=message "^USER: (?P&lt;username&gt;.+?) (?P&lt;operation&gt;[A-Z]+ [A-Z]+) (?&lt;comment&gt;.*)" | rex field=comment "- (?&lt;id&gt;\d+)\. (?&lt;message&gt;.*)" </CODE></PRE> <P>In this way you have all fields.</P> <P>Bye.<BR /> Giuseppe</P> Tue, 27 Mar 2018 09:20:32 GMT gcusello 2018-03-27T09:20:32Z https://community.splunk.com/t5/Splunk-Search/Regex-to-extract-fields-with-different-format/m-p/291485#M88048 <P>Hello all,</P> <P>I need your help in order to get a regex that may extract fields from some messages.</P> <P>Example 1<BR /> <STRONG>USER: user1 UPDATED CUSTOMER - 123456. Added new user. New user was added.</STRONG></P> <P>What I am looking at this message:<BR /> <STRONG>username</STRONG>: user1<BR /> <STRONG>operation</STRONG>: UPDATED CUSTOMER (always two words in uppercase) <BR /> <STRONG>customer_id</STRONG>: 123456 (always preceded by "-" and ending with ".") (not available in all messages)<BR /> <STRONG>comment</STRONG>: Added new user. New user was added </P> <P>Example2<BR /> <STRONG>USER: user2 ADDED COUNTRY with identifier: Germany</STRONG></P> <P>What I am looking at this message:<BR /> <STRONG>username</STRONG>:user2<BR /> <STRONG>operation</STRONG>: ADDED COUNTRY (always two words in uppercase)<BR /> <STRONG>comment</STRONG>: with identifier: Germany (in this message I do not have customer_id field)</P> <P>I am using the following REGEX that I far from being accurate. It works for the first use case but not for the second </P> <PRE><CODE> ... | rex field=message "^USER: (?P&lt;username&gt;.+?) (?P&lt;operation&gt;[A-Z].+?) - (?P&lt;id&gt;.+?)\. (?P&lt;message&gt;.*)" </CODE></PRE> <P><STRONG>What I am looking for a final result:</STRONG><BR /> |username.... | operation...........................| id...............| message................................................|<BR /> |user1............|UPDATED CUSTOMER.....| 123456 ....| Added new user. New user was added |<BR /> |user2............|ADDED COUNTRY............| ..................| with identifier: Germany.........................|</P> <P>Can someone help me, building a general regex, please?</P> Tue, 27 Mar 2018 09:05:57 GMT https://community.splunk.com/t5/Splunk-Search/Regex-to-extract-fields-with-different-format/m-p/291485#M88048 nuaraujo 2018-03-27T09:05:57Z https://community.splunk.com/t5/Splunk-Search/Regex-to-extract-fields-with-different-format/m-p/291486#M88049 <P>Hi nuaraujo,<BR /> try this:</P> <PRE><CODE>| rex field=message "^USER: (?P&lt;username&gt;.+?) (?P&lt;operation&gt;[A-Z]+ [A-Z]+) (?&lt;comment&gt;.*)" | rex field=comment "- (?&lt;id&gt;\d+)\. (?&lt;message&gt;.*)" </CODE></PRE> <P>In this way you have all fields.</P> <P>Bye.<BR /> Giuseppe</P> Tue, 27 Mar 2018 09:20:32 GMT https://community.splunk.com/t5/Splunk-Search/Regex-to-extract-fields-with-different-format/m-p/291486#M88049 gcusello 2018-03-27T09:20:32Z https://community.splunk.com/t5/Splunk-Search/Regex-to-extract-fields-with-different-format/m-p/291487#M88050 <P>Can you try :</P> <PRE><CODE>| rex field=message "^USER: (?P&lt;username&gt;.+?) (?P&lt;operation&gt;\w+) (?P&lt;comment&gt;.*)" | rex field=comment "CUSTOMER - (?P&lt;id&gt;[^\.]+)" </CODE></PRE> Tue, 27 Mar 2018 09:21:14 GMT https://community.splunk.com/t5/Splunk-Search/Regex-to-extract-fields-with-different-format/m-p/291487#M88050 p_gurav 2018-03-27T09:21:14Z https://community.splunk.com/t5/Splunk-Search/Regex-to-extract-fields-with-different-format/m-p/291488#M88051 <P>Hello @nuaraujo</P> <P>try something like this.</P> <PRE><CODE>... | rex field=message "USER:\s(?&lt;username&gt;.+?)\s(?&lt;operation&gt;\w+\s\w+)\s\-?\s(?&lt;id&gt;\d+)\.?\s(?&lt;message&gt;.*)" </CODE></PRE> <P>Hope it helps!</P> Tue, 27 Mar 2018 09:21:46 GMT https://community.splunk.com/t5/Splunk-Search/Regex-to-extract-fields-with-different-format/m-p/291488#M88051 lloydknight 2018-03-27T09:21:46Z https://community.splunk.com/t5/Splunk-Search/Regex-to-extract-fields-with-different-format/m-p/291489#M88052 <P>Hi @nuaraujo,</P> <P>Try the following regex instead. I've tested it on my lab with you two examples and it seems to be working fine. Note I am assuming your customer ID is a number so you might need to tweak that if that's not the case.</P> <PRE><CODE>^USER: (?P&lt;username&gt;\S+)\s+(?P&lt;operation&gt;[A-Z]+ [A-Z]+)(\s+\-\s+(?P&lt;customerid&gt;\d+)\.)?\s+(?P&lt;message&gt;.*) </CODE></PRE> <P>Thanks,<BR /> J</P> Tue, 27 Mar 2018 09:25:55 GMT https://community.splunk.com/t5/Splunk-Search/Regex-to-extract-fields-with-different-format/m-p/291489#M88052 javiergn 2018-03-27T09:25:55Z https://community.splunk.com/t5/Splunk-Search/Regex-to-extract-fields-with-different-format/m-p/291490#M88053 <P>Thank @p_gurav.</P> <P>Your suggestion would already be a good solution. However, can you just help me getting 2 words for "operation"? In your suggestion, I am only getting one. Even so, BIG THANK YOU for your quick reply.</P> Tue, 27 Mar 2018 09:27:04 GMT https://community.splunk.com/t5/Splunk-Search/Regex-to-extract-fields-with-different-format/m-p/291490#M88053 nuaraujo 2018-03-27T09:27:04Z https://community.splunk.com/t5/Splunk-Search/Regex-to-extract-fields-with-different-format/m-p/291491#M88054 <P>Thanks<BR /> Thanks<BR /> Thanks <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Tue, 27 Mar 2018 09:29:21 GMT https://community.splunk.com/t5/Splunk-Search/Regex-to-extract-fields-with-different-format/m-p/291491#M88054 nuaraujo 2018-03-27T09:29:21Z