great, that works 🙂

Hmm, im not sure @pradjswl. Look for any trailing or leading spaces. here is a screenshot of what i had.

@dtregonning_splunk how/where do i specify the name of extracted filed in this format ? on regex portal it does return the correct value. How would this work in splunk, as I understand we need to specify the extracted filed name in the query it self with triangular bracket. I tried putting triangular bracket in the query but getting syntax error.

(?COLDAPP?P.*)::

replace field_name_xxx to whatever you would like to call the extraction field.

@dtregonning_splunk some how splunk comment omits the fieldname while we comment. I see it was omitted in the question I posted, and the response you are posting. It would be a great if you can post a screenshot with field name.

I truly appreciate your help.

By the way how much point do i need to earn before I can start posting images in the comment?

@pradjswl - 60 Karma points are required to attach files. Here's a general outline of how to earn Karma points on Answers as well as how much Karma is required in order to unlock certain site capabilities.

@dtregonning_splunk somwhow its not working. I am trying my query on regex101.com. Is there anything wrong I would b doing ?

PS: I was trying to attach a snap, but i got message I would need more karma point to attach image in the post.