Solved: Splunk rex field extraction issue

dineshCool · ‎08-09-2019

Hi Guys,

I have to extract one field from the below log and i tried this regex in https://rubular.com/ "(?<=^4Nett\s\W\W)(\W.*)$" This regex exactly working what i am looking for.

Status report: "<App name> :: <Status>"
ABC_Service :: Started in 2 sec

but when i try this in splunk it is not giving me the extracted field.

<base query>|rex (?<Application_status><=^4Nett\s\W\W)(\W.*)$

My expected result
Started in 2 sec

Please give me a hint what i am missing here

renjith_nair · ‎08-09-2019

@dineshCool,

If you have the :: delimiter always in the events try

rex "::\s+(?<Application_Status>.*)"

---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

renjith_nair · ‎08-09-2019

@dineshCool,

If you have the :: delimiter always in the events try

rex "::\s+(?<Application_Status>.*)"

---
What goes around comes around. If it helps, hit it with Karma 🙂

Splunk rex field extraction issue

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Data Management Digest – May 2026

Join the Conversation