This was the rex I was using

| rex field="External Video ID" "(?.*)_"

Hi vrmandadi,
sorry if I repeat: I cannot see your regex, please use Code Sample!

Anyway the condition field="External Video ID" can be reproduced in IFX adding after the regex in <fieldname> , see the following example:

(?<External_ID>.*)_ in External_ID

In addition I suggest to not use spaces in field names, you can use field names with spaces at the end of your search using rename.

Bye.
Giuseppe

Hello @cusello

yup I am aware of that it takes time but is there a problem with the quotes when placing in IFX

I just placed "External ID" (?.*)_ in the ifx bu the rex has something like this

| rex field="External ID" "(?.*)_"

@somesoni2

This is the sample event

RSN,interstitial/live_rsn_desktop_live ,Autozone/RSN_RSN_372462,Autozone/RSN_900014269,DIGITAL- 4Q17-2Q18 NBA Lakers Streaming_101917-042218_Live Stream,Autozone/RSN_ZONA1801_RSN,RSN APP,73369465,RSNAPP_LIVE,XXXXXXXXXXXX Network,Autozone/RSN_RSN_Live Stream,2/15/2018,620

I am trying to extract the one in bold

Is it always found in the 3rd last value in your raw data?? If yes, out of Autozone/RSN_RSN_Live Stream which part is (currently) extracted as "External ID" and which part should be your new field?

Meanwhile give this regex a try

^([^,]+,){10}(?<YourNewField>([^_]+_)+)

https://regex101.com/r/lOwD2p/1

This did not work,cant we extract from existing field and save it as new field?

Nope,It is different for some events,I "External ID" has values like

ID_LIVE

MS_LIVE
RTS_LIVE

TT_LIVE
HG_LIVE

Cp_LIVE

I am trying to extract a new field called field removing the part after _ like ID,MS,TT,HG

How is the field "External ID" extracted?? Do it's value always ends with _LIVE??

So its a csv file and it extracts that automatically as it is in the header and not all values end with _LIVE

Ok.. One final question, how is CSV field extraction setup, at search-time (using KV_MODE=csv) OR at indexed-time (INDEXED_EXTRACTIONS=csv )? You can see the order in which a search time field extraction setting is applied here. http://docs.splunk.com/Documentation/Splunk/6.5.0/Knowledge/Searchtimeoperationssequence#Search-time...
The field transforms (using which you can extract a field out of existing field) is executed before the KV_MODE field extraction so your "External ID" will not be available to field transform if "External ID" is extracted via KV_MODE.
In that case, I think you can do your extraction using it by using calculated fields which are done after KV_MODE or automatic field extractions. Follow instructions from below link
http://docs.splunk.com/Documentation/Splunk/6.5.0/Knowledge/CreatecalculatedfieldswithSplunkWeb
and use following a eval expression: replace('External ID',"(.+)_(.+)","\1")

I used INDEXED_EXTRACTIONS=csv ,so should I try uploading the csv again and change it to KV_MODE=CSV and then use it

You can test with INDEXED_EXTRACTIONS itself. Try both calculated fields and field transforms method.

I did not see field="External ID" 😕 @somesoni2 answer will do .

sorry for the confusion @mayur98

I just placed "External ID" (?.*)_ in the ifx but the rex has something like this

| rex field="External ID" "(?.*)_"