https://community.splunk.com/t5/Splunk-Search/How-to-generate-a-regular-expression-that-extracts-a-field-in-my/m-p/317914#M95118 <P>Hi, sorry if I misunderstood.</P> <P>Is that a multiline event? If so, you should use this one: </P> <PRE><CODE>.*?\)\s+(?P&lt;description&gt;.*?)\n </CODE></PRE> Fri, 24 Feb 2017 19:51:30 GMT jrballesteros05 2017-02-24T19:51:30Z https://community.splunk.com/t5/Splunk-Search/How-to-generate-a-regular-expression-that-extracts-a-field-in-my/m-p/317908#M95112 <P>I need to do a field extraction for everything after the ) to the end of the first line. I've tried about every regex I can think of to signify EOL but nothing seems to work so far.</P> <P>Here is an event sample:<BR /> 2017-02-22T18:01:04 | Creating request for <A href="https://0.0.0.0/images/logo.gif">https://0.0.0.0/images/logo.gif</A> (msecure.company.com) Mobile US Site1 VIP<BR /> 2017-02-22T18:01:04 | Information SSL1399 - The certificate is valid.; Data: Mobile US Site1 VIP; URL: <A href="https://0.0.0.0/images/logo.gif">https://0.0.0.0/images/logo.gif</A>; Domain: msecure.company.com; Expiration: 08/10/2018 08:00:00</P> <P>So for this event I would want this field to be "Mobile US Site1 VIP".</P> <P>I'm sure I'm messing something up. Thanks in advanced!</P> Fri, 24 Feb 2017 14:39:43 GMT https://community.splunk.com/t5/Splunk-Search/How-to-generate-a-regular-expression-that-extracts-a-field-in-my/m-p/317908#M95112 jeck11 2017-02-24T14:39:43Z https://community.splunk.com/t5/Splunk-Search/How-to-generate-a-regular-expression-that-extracts-a-field-in-my/m-p/317909#M95113 <P>Is this what you are trying to do?</P> <PRE><CODE>(?:^)(?:[^\)]+\)\s)(.+) </CODE></PRE> Fri, 24 Feb 2017 18:03:46 GMT https://community.splunk.com/t5/Splunk-Search/How-to-generate-a-regular-expression-that-extracts-a-field-in-my/m-p/317909#M95113 horsefez 2017-02-24T18:03:46Z https://community.splunk.com/t5/Splunk-Search/How-to-generate-a-regular-expression-that-extracts-a-field-in-my/m-p/317910#M95114 <P>Your regex doesn't appear to select anything when I try it. </P> <P>Here is the regex that Splunk gives me when I try and do it through the wizard:</P> <PRE><CODE>^[^\)\n]*\)\s+(?P&lt;description&gt;\w+\s+\w+\s+\w+\s+\w+) </CODE></PRE> <P>This will select anything up to a special character but the final field could have a dash ("-") in it and I can't control how long it is either.</P> Fri, 24 Feb 2017 18:14:51 GMT https://community.splunk.com/t5/Splunk-Search/How-to-generate-a-regular-expression-that-extracts-a-field-in-my/m-p/317910#M95114 jeck11 2017-02-24T18:14:51Z https://community.splunk.com/t5/Splunk-Search/How-to-generate-a-regular-expression-that-extracts-a-field-in-my/m-p/317911#M95115 <P>This seems to work at: <A href="https://www.regex101.com/">https://www.regex101.com/</A></P> <P>^.[^)]+)\s+(?P.+)</P> Fri, 24 Feb 2017 18:48:55 GMT https://community.splunk.com/t5/Splunk-Search/How-to-generate-a-regular-expression-that-extracts-a-field-in-my/m-p/317911#M95115 pkeller 2017-02-24T18:48:55Z https://community.splunk.com/t5/Splunk-Search/How-to-generate-a-regular-expression-that-extracts-a-field-in-my/m-p/317912#M95116 <P>This one seems to work for me: </P> <PRE><CODE> .*?\)\s+(?P&lt;description&gt;.*) </CODE></PRE> Fri, 24 Feb 2017 19:34:02 GMT https://community.splunk.com/t5/Splunk-Search/How-to-generate-a-regular-expression-that-extracts-a-field-in-my/m-p/317912#M95116 jrballesteros05 2017-02-24T19:34:02Z https://community.splunk.com/t5/Splunk-Search/How-to-generate-a-regular-expression-that-extracts-a-field-in-my/m-p/317913#M95117 <P>Yeah. That's what I came up with when using an external site like <A href="https://www.regex101.com/">https://www.regex101.com/</A>. Unfortunately, when I try that in Splunk it begins at the correct spot but goes all the way to the end of the last line instead of stopping at the end of line 1. </P> <P><A href="https://ibb.co/bBYXRF"><IMG src="https://preview.ibb.co/cM0CRF/2017_02_24_14_39_09_Online_regex_tester_and_debugger_PHP_PCRE_Python_Golang_and_Java_Script.png" alt="2017 02 24 14 39 09 Online regex tester and debugger PHP PCRE Python Golang and Java Script" /></A></P> Fri, 24 Feb 2017 19:45:10 GMT https://community.splunk.com/t5/Splunk-Search/How-to-generate-a-regular-expression-that-extracts-a-field-in-my/m-p/317913#M95117 jeck11 2017-02-24T19:45:10Z https://community.splunk.com/t5/Splunk-Search/How-to-generate-a-regular-expression-that-extracts-a-field-in-my/m-p/317914#M95118 <P>Hi, sorry if I misunderstood.</P> <P>Is that a multiline event? If so, you should use this one: </P> <PRE><CODE>.*?\)\s+(?P&lt;description&gt;.*?)\n </CODE></PRE> Fri, 24 Feb 2017 19:51:30 GMT https://community.splunk.com/t5/Splunk-Search/How-to-generate-a-regular-expression-that-extracts-a-field-in-my/m-p/317914#M95118 jrballesteros05 2017-02-24T19:51:30Z https://community.splunk.com/t5/Splunk-Search/How-to-generate-a-regular-expression-that-extracts-a-field-in-my/m-p/317915#M95119 <P>So your example is a multi-line event? .... This might work: ^.[^)]+)\s+(?P.+)\n?</P> Fri, 24 Feb 2017 19:52:14 GMT https://community.splunk.com/t5/Splunk-Search/How-to-generate-a-regular-expression-that-extracts-a-field-in-my/m-p/317915#M95119 pkeller 2017-02-24T19:52:14Z https://community.splunk.com/t5/Splunk-Search/How-to-generate-a-regular-expression-that-extracts-a-field-in-my/m-p/317916#M95120 <P>YES! That did it. Thanks!</P> Fri, 24 Feb 2017 19:55:34 GMT https://community.splunk.com/t5/Splunk-Search/How-to-generate-a-regular-expression-that-extracts-a-field-in-my/m-p/317916#M95120 jeck11 2017-02-24T19:55:34Z https://community.splunk.com/t5/Splunk-Search/How-to-generate-a-regular-expression-that-extracts-a-field-in-my/m-p/317917#M95121 <P>@Jeck11, glad @jrballesteros05's answer provided a working solution to your question? Please don't forget to resolve this post by clicking "Accept".</P> Fri, 24 Feb 2017 21:09:28 GMT https://community.splunk.com/t5/Splunk-Search/How-to-generate-a-regular-expression-that-extracts-a-field-in-my/m-p/317917#M95121 somesoni2 2017-02-24T21:09:28Z