@ITWhisperer 

I tried using above rex for these log source but not working:

For below 5 different log source I like to extract node number like node06, node03, node01

E:\view\int\t4\apch\node\node06\log\server.log
E:\view\int\t4\apch\node\node06\log\run.log
E:\view\int\t4\apch\node\node03\log\server.log
E:\view\int\t4\apch\node\node01\log\server.log
E:\view\int\t4\apch\node\node01\log\run.log

For below 3 log source I like to extract as core02, web37, core01

E:\view\int\t4\logs\core02-core.log
E:\view\int\t4\logs\web37-wfmws.log
E:\view\int\t4\logs\core01-core.log

Since both log format is different above solution you shared is not working. Please help

Here is a runanywhere example showing it working

| makeresults format=csv data="source
E:\view\int\t4\apch\node\node06\log\server.log
E:\view\int\t4\apch\node\node06\log\run.log
E:\view\int\t4\apch\node\node03\log\server.log
E:\view\int\t4\apch\node\node01\log\server.log
E:\view\int\t4\apch\node\node01\log\run.log
E:\view\int\t4\logs\core02-core.log
E:\view\int\t4\logs\web37-wfmws.log
E:\view\int\t4\logs\core01-core.log"
| rex field=source "^([^\\\\]+\\\\){5}(?<node>[^-]+)"
| rex field=source "^([^\\\\]+\\\\){6}(?<node>[^\\\\]+)"

Note if these different formats for source are used in the same search then the order is significant, otherwise just use the relevant rex pertaining to the source name format