Thanks, but it seems to only work on some messages and not others....

You would have more/better help if you actually posted examples and said "it worked for these ... but didn't work for those ...". Give as much detail as possible.

I think I got it, in the example I showed, I was testing with double "" around the ID= field, so it worked with that. But my regular messages look like this.

Aug  1 11:27:04 192.168.1.201 Aug  1 11:26:13 asterisk[4015]: VERBOSE[4015]:     -- Executing [s@default:1] Set("SIP/3102-in-00000000", "you=111111111|id=CALLER ID") in new stack

Really sorry for the confusion. I can add the double "" back, but I really do want to understand why just changing to

Guys thank you so much. I figured it out. I guess I need to pay more attention. This is what my final search string looks like...

SIP/3102-in-* you=* | rex "id=(?[^\"]+)" |  table you, id

@yozhbk, please accept the answer to close it out

rex "id=\"\"(?[^)]+)" will not work because it is expecting r " after =. In your data, it appears, there's no quotes after the = sign. To capture, when no quotes, try this

SIP/3102-in-* you=* | rex "id=(?<id>[^\"]+)" |  table you, id

rex "id=\"\"(?[^)]+)" doesnt work ?

Hello,

It worked for one of the entrees, but not the others... The length is always changing and so does the placement of the space, basicly its a callers ID that i`m trying to extract.

This regex looks for id="" and captures everything after that till ", so the length should matter, as long as id="" exists. Can you share a sample where it doesn't match