As I have mentioned in example....anything after CMD needs to be eliminated. And the pattern is that CMD is the last word in expression and they start with LOG.I have already given example to make it more clear.

@mayank101 well in your question you have mentioned GBP and AMP which is never present in your sample data. However, even if I assume you wanted to remove anything after CMD, the pattern would be CMD exist before the data to be removed and what should be there after data to be removed is taken out?

Does the text highlighted in red below need to be removed? Also whether you want to remove them or extract them or anonymize?

1 LOG-NOTIFYCMD- dce - LOG-NOTIFYCMD- dce 2 LOG-NOTIFYCMD- abc -LOG-NOTIFYCMD- abc 3 LOG-NOTIFYCMD- As1 -LOG-NOTIFYCMD- As1

I want it to be extracted.Yes you are right it has to be extracted upto CMD.

Eg: event : LOG-NOTIFYCMD-dce-
LOG-NOTIFYCMD-`abc

Desired Result to be extracted: LOG-NOTIFYCMD
LOG-NOTIFYCMD

@mayank101 so still not clear. In a single event same text can occur several times and you need to extract all of them? Why? Please add context of what you have in data what you need to do for field extraction and once you have the field extracted how are you going to use it?

Is LOG_NOTIFYCMD going to be the same across or can it vary in your data, can you add sample?

Finally do try to understand that regular expression will be tightly coupled with the data you have and pattern in the data. So unless you explain your requirement correctly with correct data sample (you can definitely anonymize sensitive information so that regular expression does not change) for us to assist you better.

Following is a run anywhere example based on what you have described so far but I have no idea if this is really what you need and if you do, what would be the right use case for this?

|  makeresults
|  eval _raw="1 LOG-NOTIFYCMD- dce - LOG-NOTIFYCMD- dce 2 LOG-NOTIFYCMD- abc -LOG-NOTIFYCMD- abc 3 LOG-NOTIFYCMD- As1 -LOG-NOTIFYCMD- As1"
|  rex "(?<myfield>LOG-NOTIFYCMD)" max_match=0

Following is a more generic regular expression as per your data (with the same disclaimer that it may not work as per your expectations until you provide correct event samples and requirement for field extraction)

|  makeresults
|  eval _raw="1 LOG-NOTIFYCMD- dce - LOG-NOTIFYCMD- dce 2 LOG-NOTIFYCMD- abc -LOG-NOTIFYCMD- abc 3 LOG-NOTIFYCMD- As1 -LOG-NOTIFYCMD- As1"
|  rex "\s*(?<myfield>[^\-]+\-[^\-]+)\-\s[^\s]+" max_match=0

I would recommend you to try regex101.com for you to come up with regex extraction and understand the same (try sample of Reg Ex used above) . Or else use Interactive Field Extraction in Splunk (link to Step by Step IFX Splunk Documentation) where you let Splunk generate the RegEx based on the sample event and field value you highlight in the event.

I apologize niketnilay for being unclear. I will try to be more clear next time.

So try again. show us the raw events and a mockup of your desired final outcome.

Your use of extract is VERY unclear. Show the sample events and a mockup of the desire result. Then you won't need to use any words at all.

I apologize woodcock for being unclear. I will try to be more clear next time.