https://community.splunk.com/t5/Splunk-Search/How-do-i-create-a-regular-expression-to-extract-a-particular/m-p/313175#M93749 <P>Can u help we with below.</P> <P>I would like to create regular expression to extract a particular field from comma separated log entry regardless of its length.</P> <P>Log entry sample</P> <P>2017-02-21 14:25:59,2017-02-21 14:25:59,0.000,101.214.24.6,17.28.191.41,45604,22,TCP,.A....,0,0,1,52,0,0,151129516,151129615,0,0,0,0,0,0,72.128.190.41,0.0.0.0,0,0,00:00:00:00:00:00,00:00:00:00:00:00,00:00:00:00:00:00,00:00:00:00:00:00,0-0-0,0-0-0,0-0-0,0-0-0,0-0-0,0-0-0,0-0-0,0-0-0,0-0-0,0-0-0, 0.000, 0.000, 0.000,<STRONG>72.128.157.2</STRONG>,1/2,2,2017-02-21 14:26:00.535</P> <P>Above log entry is a single linke and has multiple fields which is is comma separated. I would like to extract the field which is marked in BOLD. That is next hop IP for netflow logs.<BR /> Basically i would like to only extract the '45th' field in this log entry, regardless of variable data lengths from each fields or type of data.</P> <P>Can u pls help. I tried while extracting fields and let splunk to do it, but when the data size varies, splunk fails to detect certain fields.</P> Tue, 21 Feb 2017 15:35:34 GMT shobithk 2017-02-21T15:35:34Z https://community.splunk.com/t5/Splunk-Search/How-do-i-create-a-regular-expression-to-extract-a-particular/m-p/313175#M93749 <P>Can u help we with below.</P> <P>I would like to create regular expression to extract a particular field from comma separated log entry regardless of its length.</P> <P>Log entry sample</P> <P>2017-02-21 14:25:59,2017-02-21 14:25:59,0.000,101.214.24.6,17.28.191.41,45604,22,TCP,.A....,0,0,1,52,0,0,151129516,151129615,0,0,0,0,0,0,72.128.190.41,0.0.0.0,0,0,00:00:00:00:00:00,00:00:00:00:00:00,00:00:00:00:00:00,00:00:00:00:00:00,0-0-0,0-0-0,0-0-0,0-0-0,0-0-0,0-0-0,0-0-0,0-0-0,0-0-0,0-0-0, 0.000, 0.000, 0.000,<STRONG>72.128.157.2</STRONG>,1/2,2,2017-02-21 14:26:00.535</P> <P>Above log entry is a single linke and has multiple fields which is is comma separated. I would like to extract the field which is marked in BOLD. That is next hop IP for netflow logs.<BR /> Basically i would like to only extract the '45th' field in this log entry, regardless of variable data lengths from each fields or type of data.</P> <P>Can u pls help. I tried while extracting fields and let splunk to do it, but when the data size varies, splunk fails to detect certain fields.</P> Tue, 21 Feb 2017 15:35:34 GMT https://community.splunk.com/t5/Splunk-Search/How-do-i-create-a-regular-expression-to-extract-a-particular/m-p/313175#M93749 shobithk 2017-02-21T15:35:34Z https://community.splunk.com/t5/Splunk-Search/How-do-i-create-a-regular-expression-to-extract-a-particular/m-p/313176#M93750 <P>If your next hop IP is always 45th segment (comma as separator), then try this</P> <PRE><CODE>your base search | rex "^([^,]+,){44}(?&lt;next_hop_IP&gt;[^,]+)" </CODE></PRE> Tue, 21 Feb 2017 16:03:33 GMT https://community.splunk.com/t5/Splunk-Search/How-do-i-create-a-regular-expression-to-extract-a-particular/m-p/313176#M93750 somesoni2 2017-02-21T16:03:33Z https://community.splunk.com/t5/Splunk-Search/How-do-i-create-a-regular-expression-to-extract-a-particular/m-p/313177#M93751 <P>HI</P> <PRE><CODE>Event </CODE></PRE> <P>2017-02-15 09:59:51,787@$@VWNV02AX01571@$@72f62f43-7269-4ca9-add5-3b623982a5fc@$@@$@5e3de831-cde6-4b83-be76-0235345063c3@$@OHHNCacheCommonBO@$@LogDynamicObjectsByDelegates@$@LogDynamicObjects@$@2017-02-15 09:59:51.787@$@2017-02-15 09:59:51.787@$@0@$@@$@</P> <P>How do i delimit by @$@</P> Fri, 03 Mar 2017 12:05:42 GMT https://community.splunk.com/t5/Splunk-Search/How-do-i-create-a-regular-expression-to-extract-a-particular/m-p/313177#M93751 puneethgowda 2017-03-03T12:05:42Z https://community.splunk.com/t5/Splunk-Search/How-do-i-create-a-regular-expression-to-extract-a-particular/m-p/313178#M93752 <P>Hi somesoni</P> <P>We want to use regular expression to extract below Even </P> <P>Based on 1st accuranc of @$@ will be first column and 2 ND accuranc will be 2nd column like that many fields need to be extracted <BR /> 2017-02-15 09:59:51,787@$@VWNV02AX01571@$@72f62f43-7269-4ca9-add5-3b623982a5fc@$@@$@5e3de831-cde6-4b83-be76-0235345063c3@$@OHHNCacheCommonBO@$@LogDynamicObjectsByDelegates@$@LogDynamicObjects@$@2017-02-15 09:59:51.787@$@2017-02-15 09:59:51.787@$@0@$@@$@</P> <P>How do i delimit by @$@<BR /> 2017-02-15 09:59:51,787@$@VWNV02AX01571@$@72f62f43-7269-4ca9-add5-3b623982a5fc@$@@$@5e3de831-cde6-4b83-be76-0235345063c3@$@OHHNCacheCommonBO@$@LogDynamicObjectsByDelegates@$@LogDynamicObjects@$@2017-02-15 09:59:51.787@$@2017-02-15 09:59:51.787@$@0@$@@$@</P> <P>How do i delimit by @$@</P> Sat, 04 Mar 2017 05:24:03 GMT https://community.splunk.com/t5/Splunk-Search/How-do-i-create-a-regular-expression-to-extract-a-particular/m-p/313178#M93752 puneethgowda 2017-03-04T05:24:03Z https://community.splunk.com/t5/Splunk-Search/How-do-i-create-a-regular-expression-to-extract-a-particular/m-p/313179#M93753 <PRE><CODE> | makeresults | eval key=" 2017-02-15 09:59:51,787@$@VWNV02AX01571@$@72f62f43-7269-4ca9-add5-3b623982a5fc@$@@$@5e3de831-cde6-4b83-be76-0235345063c3@$@OHHNCacheCommonBO@$@LogDynamicObjectsByDelegates@$@LogDynamicObjects@$@2017-02-15 09:59:51.787@$@2017-02-15 09:59:51.787@$@0@$@@$@" | rex mode=sed field=key "s/\@\$\@/,/g"| rex field=key "^([^,]*,){5}(?&lt;next_hop_IP&gt;[^,]*)" | table key,next_hop_IP </CODE></PRE> <P>In above case I have converted "@$@" to comma and then split based on same logic. Have a try using above for getting the 6th field</P> Sun, 05 Mar 2017 00:02:24 GMT https://community.splunk.com/t5/Splunk-Search/How-do-i-create-a-regular-expression-to-extract-a-particular/m-p/313179#M93753 koshyk 2017-03-05T00:02:24Z https://community.splunk.com/t5/Splunk-Search/How-do-i-create-a-regular-expression-to-extract-a-particular/m-p/313180#M93754 <P>In few events we have , inside fields </P> Sun, 05 Mar 2017 10:36:28 GMT https://community.splunk.com/t5/Splunk-Search/How-do-i-create-a-regular-expression-to-extract-a-particular/m-p/313180#M93754 puneethgowda 2017-03-05T10:36:28Z