All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Thank you so much PickleRick. It works for me well. I was able isolate 3 consecutive results. I appreciate
For OAuth 2.0. Authentication in Splunk_TA_snow, under ServiceNow account configuration you type in Client Id and Client Secret. Once you click on save/Update button, if the connection is successful,... See more...
For OAuth 2.0. Authentication in Splunk_TA_snow, under ServiceNow account configuration you type in Client Id and Client Secret. Once you click on save/Update button, if the connection is successful, a pop-up window opens where you have to login with a proper user and password. Mind that the browser doesn't take your personal credentials, but you login with a user that was predefined in ServiceNow.
Yes. That's so... and that was a really bad idea for App order UI in WebGUI 🤦‍ 🤦‍ 🤦‍ Previously drag option with jquery was perfect... really do not know why they change drastically this sect... See more...
Yes. That's so... and that was a really bad idea for App order UI in WebGUI 🤦‍ 🤦‍ 🤦‍ Previously drag option with jquery was perfect... really do not know why they change drastically this section Editing "user-prefs.conf" need a daemon restart. Annoying.
Hi Splunker, I’ve been developing a React app for Splunk that manages users via the REST API (create/update/delete). Initially, I hardcoded the REST API URL, username, and password for development ... See more...
Hi Splunker, I’ve been developing a React app for Splunk that manages users via the REST API (create/update/delete). Initially, I hardcoded the REST API URL, username, and password for development purposes. Now that the development is nearly complete, I need to make the URL dynamic. It should retrieve the REST API server URL and the currently logged-in user’s information and use it in the Splunk React app. How can I achieve this? Here is the current hardcoded code: const fetchAllUsers = async () => { try { const response = await axios.get('https://mymachine:8089/services/authentication/users', { auth: { username: 'admin', password: 'admin123' }, headers: { 'Content-Type': 'application/xml' } }); } catch (error) { console.error('Error fetching users:', error); } }; #restapi  #createuser #react #reactapp thanks in advance
Perfect, worked for me thanks!!
I use the linked list input type to control sets of panels, something like this <input id="inventory_type" type="link" token="tok_category" searchWhenChanged="true"> <choice value="hos... See more...
I use the linked list input type to control sets of panels, something like this <input id="inventory_type" type="link" token="tok_category" searchWhenChanged="true"> <choice value="host">Host</choice> <choice value="user">User</choice> <initialValue>host</initialValue> <change> <condition value="host"> <set token="by_host"></set> <unset token="by_user"></unset> </condition> <condition value="user"> <set token="by_user"></set> <unset token="by_host"></unset> </condition> </change> </input> You can then have <row depends="$by_host$> and <row depends="$by_user$> to control which rows are shown. If you want to have inline CSS to then tweak the buttons you can do it in the dashboard. See this app which has an example of how to customise the XML and tabs.  https://splunkbase.splunk.com/app/5256 You can then get this type of display   
OK, so you've got two tokens going on here. The default 'All' (*) is selected. When you select one from the list, the intention is that the All (*) should disappear otherwise the selected options are... See more...
OK, so you've got two tokens going on here. The default 'All' (*) is selected. When you select one from the list, the intention is that the All (*) should disappear otherwise the selected options are *,1 (or whatever 1 is in your case). So, my condition resets the form. token so that it removes * from the options. What token are you actually using in the search? Are you using app_fm_entity_id or app_net_fm_entity_id If you need a second token which also has the word "_all" when * is selected, then your problem is that you are using <eval> to set that token, when you just need to use <set> I use an html panel sometimes to debug tokens - multiselect behaviour is a little unintuitive and technically the documentation says that <change> is not supported for multiselect, but it does work, it's just odd... <panel> <input id="app_nodes_multiselect" type="multiselect" token="app_fm_entity_id" searchWhenChanged="true"> <label>Nodes</label> <delimiter> </delimiter> <fieldForLabel>entity_name</fieldForLabel> <fieldForValue>internal_entity_id</fieldForValue> <search> <query> | makeresults count=5 | streamstats c | eval entity_name="name:".c, internal_entity_id=c | table entity_name, internal_entity_id | sort entity_name </query> </search> <choice value="*">All</choice> <default>*</default> <change> <condition match="$form.app_fm_entity_id$=&quot;*&quot;"> <set token="app_net_fm_entity_id">_all</set> <set token="condition">1</set> </condition> <condition> <set token="condition">2</set> <eval token="form.app_fm_entity_id">case(mvcount($form.app_fm_entity_id$)="2" AND mvindex($form.app_fm_entity_id$,0)="*", mvindex($form.app_fm_entity_id$,1), mvfind($form.app_fm_entity_id$,"^\\*$$")=mvcount($form.app_fm_entity_id$)-1, "_all", true(), $form.app_fm_entity_id$)</eval> <set token="app_net_fm_entity_id">$app_fm_entity_id$</set> </condition> </change> </input> <html> app_fm_entity_id::$app_fm_entity_id$<p/> form.app_fm_entity_id::$form.app_fm_entity_id$<p/> app_fm_entity_id::$app_fm_entity_id$<p/> app_net_fm_entity_id::$app_net_fm_entity_id$<p/> condition::$condition$ </html> </panel>  
Hi @dinesh001kumar, In Simple XML and without resorting to custom HTML, CSS, and JavaScript in separate files, you can use a visualization to draw circles and drilldowns to control the visibility of... See more...
Hi @dinesh001kumar, In Simple XML and without resorting to custom HTML, CSS, and JavaScript in separate files, you can use a visualization to draw circles and drilldowns to control the visibility of rows or panels. Here's an (ugly) example using six rows of five single value panels controlled by a separate table panel: <dashboard version="1.1" theme="light"> <label>pagination</label> <init> <set token="show_page_1_tok">1</set> <set token="page_1_tok">⬤</set> <unset token="show_page_2_tok"></unset> <set token="page_2_tok">◯</set> <unset token="show_page_3_tok"></unset> <set token="page_3_tok">◯</set> <unset token="show_page_4_tok"></unset> <set token="page_4_tok">◯</set> <unset token="show_page_5_tok"></unset> <set token="page_5_tok">◯</set> <unset token="show_page_6_tok"></unset> <set token="page_6_tok">◯</set> </init> <row depends="$show_page_1_tok$" rejects="$show_page_2_tok$,$show_page_3_tok$,$show_page_4_tok$,$show_page_5_tok$,$show_page_6_tok$"> <panel> <single> <search> <query>| stats count | eval count=1</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </single> </panel> <panel> <single> <search> <query>| stats count | eval count=1</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </single> </panel> <panel> <single> <search> <query>| stats count | eval count=1</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </single> </panel> <panel> <single> <search> <query>| stats count | eval count=1</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </single> </panel> <panel> <single> <search> <query>| stats count | eval count=1</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </single> </panel> </row> <row depends="$show_page_2_tok$" rejects="$show_page_1_tok$,$show_page_3_tok$,$show_page_4_tok$,$show_page_5_tok$,$show_page_6_tok$"> <panel> <single> <search> <query>| stats count | eval count=2</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </single> </panel> <panel> <single> <search> <query>| stats count | eval count=2</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </single> </panel> <panel> <single> <search> <query>| stats count | eval count=2</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </single> </panel> <panel> <single> <search> <query>| stats count | eval count=2</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </single> </panel> <panel> <single> <search> <query>| stats count | eval count=2</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </single> </panel> </row> <row depends="$show_page_3_tok$" rejects="$show_page_1_tok$,$show_page_2_tok$,$show_page_4_tok$,$show_page_5_tok$,$show_page_6_tok$"> <panel> <single> <search> <query>| stats count | eval count=3</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </single> </panel> <panel> <single> <search> <query>| stats count | eval count=3</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </single> </panel> <panel> <single> <search> <query>| stats count | eval count=3</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </single> </panel> <panel> <single> <search> <query>| stats count | eval count=3</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </single> </panel> <panel> <single> <search> <query>| stats count | eval count=3</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </single> </panel> </row> <row depends="$show_page_4_tok$" rejects="$show_page_1_tok$,$show_page_2_tok$,$show_page_3_tok$,$show_page_5_tok$,$show_page_6_tok$"> <panel> <single> <search> <query>| stats count | eval count=4</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </single> </panel> <panel> <single> <search> <query>| stats count | eval count=4</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </single> </panel> <panel> <single> <search> <query>| stats count | eval count=4</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </single> </panel> <panel> <single> <search> <query>| stats count | eval count=4</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </single> </panel> <panel> <single> <search> <query>| stats count | eval count=4</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </single> </panel> </row> <row depends="$show_page_5_tok$" rejects="$show_page_1_tok$,$show_page_2_tok$,$show_page_3_tok$,$show_page_4_tok$,$show_page_6_tok$"> <panel> <single> <search> <query>| stats count | eval count=5</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </single> </panel> <panel> <single> <search> <query>| stats count | eval count=5</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </single> </panel> <panel> <single> <search> <query>| stats count | eval count=5</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </single> </panel> <panel> <single> <search> <query>| stats count | eval count=5</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </single> </panel> <panel> <single> <search> <query>| stats count | eval count=5</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </single> </panel> </row> <row depends="$show_page_6_tok$" rejects="$show_page_1_tok$,$show_page_2_tok$,$show_page_3_tok$,$show_page_4_tok$,$show_page_5_tok$"> <panel> <single> <search> <query>| stats count | eval count=6</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </single> </panel> <panel> <single> <search> <query>| stats count | eval count=6</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </single> </panel> <panel> <single> <search> <query>| stats count | eval count=6</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </single> </panel> <panel> <single> <search> <query>| stats count | eval count=6</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </single> </panel> <panel> <single> <search> <query>| stats count | eval count=6</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </single> </panel> </row> <row> <panel> <html> <style> #page_table thead { visibility: collapse !important; } </style> </html> <table id="page_table"> <search> <query>| makeresults | fields - _time | eval "Page 1"="$page_1_tok$", "Page 2"="$page_2_tok$", "Page 3"="$page_3_tok$", "Page 4"="$page_4_tok$", "Page 5"="$page_5_tok$", "Page 6"="$page_6_tok$"</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">cell</option> <option name="wrap">false</option> <drilldown> <condition field="Page 1"> <set token="show_page_1_tok">1</set> <set token="page_1_tok">⬤</set> <unset token="show_page_2_tok"></unset> <set token="page_2_tok">◯</set> <unset token="show_page_3_tok"></unset> <set token="page_3_tok">◯</set> <unset token="show_page_4_tok"></unset> <set token="page_4_tok">◯</set> <unset token="show_page_5_tok"></unset> <set token="page_5_tok">◯</set> <unset token="show_page_6_tok"></unset> <set token="page_6_tok">◯</set> </condition> <condition field="Page 2"> <unset token="show_page_1_tok"></unset> <set token="page_1_tok">◯</set> <set token="show_page_2_tok">1</set> <set token="page_2_tok">⬤</set> <unset token="show_page_3_tok"></unset> <set token="page_3_tok">◯</set> <unset token="show_page_4_tok"></unset> <set token="page_4_tok">◯</set> <unset token="show_page_5_tok"></unset> <set token="page_5_tok">◯</set> <unset token="show_page_6_tok"></unset> <set token="page_6_tok">◯</set> </condition> <condition field="Page 3"> <unset token="show_page_1_tok"></unset> <set token="page_1_tok">◯</set> <unset token="show_page_2_tok"></unset> <set token="page_2_tok">◯</set> <set token="show_page_3_tok">1</set> <set token="page_3_tok">⬤</set> <unset token="show_page_4_tok"></unset> <set token="page_4_tok">◯</set> <unset token="show_page_5_tok"></unset> <set token="page_5_tok">◯</set> <unset token="show_page_6_tok"></unset> <set token="page_6_tok">◯</set> </condition> <condition field="Page 4"> <unset token="show_page_1_tok"></unset> <set token="page_1_tok">◯</set> <unset token="show_page_2_tok"></unset> <set token="page_2_tok">◯</set> <unset token="show_page_3_tok"></unset> <set token="page_3_tok">◯</set> <set token="show_page_4_tok">1</set> <set token="page_4_tok">⬤</set> <unset token="show_page_5_tok"></unset> <set token="page_5_tok">◯</set> <unset token="show_page_6_tok"></unset> <set token="page_6_tok">◯</set> </condition> <condition field="Page 5"> <unset token="show_page_1_tok"></unset> <set token="page_1_tok">◯</set> <unset token="show_page_2_tok"></unset> <set token="page_2_tok">◯</set> <unset token="show_page_3_tok"></unset> <set token="page_3_tok">◯</set> <unset token="show_page_4_tok"></unset> <set token="page_4_tok">◯</set> <set token="show_page_5_tok">1</set> <set token="page_5_tok">⬤</set> <unset token="show_page_6_tok"></unset> <set token="page_6_tok">◯</set> </condition> <condition field="Page 6"> <unset token="show_page_1_tok"></unset> <set token="page_1_tok">◯</set> <unset token="show_page_2_tok"></unset> <set token="page_2_tok">◯</set> <unset token="show_page_3_tok"></unset> <set token="page_3_tok">◯</set> <unset token="show_page_4_tok"></unset> <set token="page_4_tok">◯</set> <unset token="show_page_5_tok"></unset> <set token="page_5_tok">◯</set> <set token="show_page_6_tok">1</set> <set token="page_6_tok">⬤</set> </condition> </drilldown> </table> </panel> </row> </dashboard>  
WoW!!  Your example got me super close to the finish line!!! The only issue left is that when I have "All" selected with other options and then unselect other options so that only the "All" option... See more...
WoW!!  Your example got me super close to the finish line!!! The only issue left is that when I have "All" selected with other options and then unselect other options so that only the "All" option remains, then the "app_net_fm_entity_id" token gets unset, instead of having the value of "_all" <input id="app_nodes_multiselect" type="multiselect" depends="$app_fm_app_id$" token="app_fm_entity_id" searchWhenChanged="true"> <label>Nodes</label> <delimiter> </delimiter> <fieldForLabel>entity_name</fieldForLabel> <fieldForValue>internal_entity_id</fieldForValue> <search> <query> | inputlookup aix_kv_apm_comps WHERE entity_type!=$app_fm_group_nodes$ | search [| makeresults | eval search="internal_parent_id=(".mvjoin($app_fm_app_id$, " OR internal_parent_id=").")" | return $search] | table entity_name, internal_entity_id | sort entity_name </query> </search> <choice value="*">All</choice> <default>*</default> <change> <condition match="$form.app_fm_entity_id$=&quot;*&quot;"> <eval token="app_net_fm_entity_id">_all</eval> </condition> <condition> <eval token="app_net_fm_entity_id">case(mvcount($form.app_fm_entity_id$)="2" AND mvindex($form.app_fm_entity_id$,0)="*", mvindex($form.app_fm_entity_id$,1), mvfind($form.app_fm_entity_id$,"^\\*$$")=mvcount($form.app_fm_entity_id$)-1, "_all", true(), $form.app_fm_entity_id$)</eval> </condition> </change> </input>      
Thank you so much for your help!!! I apologize that I wasn't completely clear in my requirement. I need the "app_net_fm_entity_id" token set to "_all" IF the "app_fm_entity_id" (aka selectedvalues)... See more...
Thank you so much for your help!!! I apologize that I wasn't completely clear in my requirement. I need the "app_net_fm_entity_id" token set to "_all" IF the "app_fm_entity_id" (aka selectedvalues) has only the "*" value selected. A different way to say that is, I need the "app_net_fm_entity_id" token set to "_not_star_but_other" IF the "app_fm_entity_id" (aka selectedvalues) has only the "*" value selected.  
@ITWhisperer Yes, env and tenant are already extracted, yes, we need stat broken by env and tenant as well as time   {"datetime":"08-19-2024 10:40:30.196 +1000","log_level":"INFO","component":"... See more...
@ITWhisperer Yes, env and tenant are already extracted, yes, we need stat broken by env and tenant as well as time   {"datetime":"08-19-2024 10:40:30.196 +1000","log_level":"INFO","component":"Hostwide","data":{"cpu_arch":"x86_64","os_name":"Linux","os_name_ext":"Linux","os_build":"#1 ABC Thu Apr 4 03:33:23 EDT 2024","os_version":"3.10.0-1160.118","instance_guid":"ABCDEFGH","splunk_version":"9.2.1","mem":"382641.051","mem_used":"41983.578","swap":"511.996","swap_used":"511.996","pg_paged_out":"50842005897","pg_swapped_out":"164124","forks":"00000600","cpu_count":"24","virtual_cpu_count":"48","runnable_process_count":"19","normalized_load_avg_1min":"1.14","cpu_user_pct":"45.35","cpu_system_pct":"10.68","cpu_idle_pct":"43.98"}}  
Yes, thank you. On top of creating those two separate tables. I want to then store the table data in separate indexes and maintaining all fields headers and values. From there I want to restrict acce... See more...
Yes, thank you. On top of creating those two separate tables. I want to then store the table data in separate indexes and maintaining all fields headers and values. From there I want to restrict access to the indexes. Ideally, I want to avoid creating separate apps
1. The use case is ideally I just want to create separate indexes based on a search filter and be able to restrict access to these filters based on roles without the need to create different apps. Th... See more...
1. The use case is ideally I just want to create separate indexes based on a search filter and be able to restrict access to these filters based on roles without the need to create different apps. The data I'm ingesting is aggregate so only admins can see it. From there, I want to create two separate dashboards (not Splunk apps if possible) showing data for superheros or villains. I need only users with the role "good guys" to access the superhero dashboard and be unable to access the villain dashboard and vice versa. The solution I've thought about is by creating indexes which only differ by one line (e.g. archetype=superhero/villain) and then restricting access to these indexes based on user roles. 2. I can't restrict access when using search-time filters though. 3. Okay I understand summary indexing is not the best approach. Do you have a better solution
Arrows are an attribute of lines.  They don't show up, however, until you increase the thickness of the line.  
Yes, I've thought about creating different apps but I wanted to avoid this since the only difference between the apps will be one line in the filter (e.g. archetype="superhero"). Ideally I just want ... See more...
Yes, I've thought about creating different apps but I wanted to avoid this since the only difference between the apps will be one line in the filter (e.g. archetype="superhero"). Ideally I just want to create separate indexes based on a search filter and be able to restrict access to these filters based on roles without the need to create different apps. I tried populating the summary index using the query above. By Original Fields not populating, I mean once you run the query and check the index that was created (e.g. index=superheros), the fields present in the search don't include id, strengths, and archetype but only default fields like date_hour, index, timeendpos etc).
You can't use $value$ and your <condition> elements are wrong - I assume you're trying to make a conditional expression, however, you just have effectively a single condition This is the technique t... See more...
You can't use $value$ and your <condition> elements are wrong - I assume you're trying to make a conditional expression, however, you just have effectively a single condition This is the technique to remove all and add all when using multiselect <change> <condition match="$form.app_fm_entity_id$=&quot;*&quot;"> <eval token="form.app_fm_entity_id">*</eval> </condition> <condition> <eval token="form.app_fm_entity_id">case(mvcount($form.app_fm_entity_id$)="2" AND mvindex($form.app_fm_entity_id$,0)="*", mvindex($form.app_fm_entity_id$,1), mvfind($form.app_fm_entity_id$,"^\\*$$")=mvcount($form.app_fm_entity_id$)-1, "*", true(), $form.app_fm_entity_id$)</eval> </condition> </change>  It will set the token to * not _all because that is the value defined in your default 'All' option.  
Might be a silly question but does anyone possibly know where I can locate lines with pointing arrows at the end? I wanted to use them to point to each panel I had to show a flow diagram of some sort.
I am using the multiselect input definition below: The issue is that it is not setting the token named "app_net_fm_entity_id" properly. The desired behavior is, if the user selects "All" label ... See more...
I am using the multiselect input definition below: The issue is that it is not setting the token named "app_net_fm_entity_id" properly. The desired behavior is, if the user selects "All" label (value=*) then the condition should detect the "*" value and set the "app_net_fm_entity_id" token to "_all" If the user selects anything else other than just the "All" label then the "app_net_fm_entity_id" token should be set to the contents of the selected values. I am using Splunk Enterprise 9.2.1 This is a simple xml dashoard, aka classic dashboard. I am 1month into splunk and learning feverishly but I surely need some help on this.  I've tried using JS to get the desired behavior for this multi, but couldn't get that to work either     <input id="app_nodes_multiselect" type="multiselect" depends="$app_fm_app_id$" token="app_fm_entity_id" searchWhenChanged="true"> <label>Nodes</label> <delimiter> </delimiter> <fieldForLabel>entity_name</fieldForLabel> <fieldForValue>internal_entity_id</fieldForValue> <search> <query> | inputlookup aix_kv_apm_comps WHERE entity_type!=$app_fm_group_nodes$ | search [| makeresults | eval search="internal_parent_id=(".mvjoin($app_fm_app_id$, " OR internal_parent_id=").")" | return $search] | table entity_name, internal_entity_id | sort entity_name </query> </search> <choice value="*">All</choice> <default>*</default> <change> <condition> <eval>len($value$) == 1</eval> <set token="app_net_fm_entity_id">_all</set> </condition> <condition> <eval>len($value$) > 1</eval> <set token="app_net_fm_entity_id">$value$</set> </condition> </change> </input>                
Well, you need to simply find something between your "anchors". Which in simplest form might just be stringstart\s(?<uuid>.*)\sstringend If you know that the uuid has some particular form you can b... See more...
Well, you need to simply find something between your "anchors". Which in simplest form might just be stringstart\s(?<uuid>.*)\sstringend If you know that the uuid has some particular form you can be a bit more specific (for example not to capture wrongly formed uuid) stringstart\s(?<uuid>[0-9a-f]-[0-9a-f]{8}-(?:[0-9a-f]{4}-){3}[0-9a-f]{12})\sstringend You can even add more anchoring text in front or at the end if you have more constant parts. So as you have a regex matching and extracting this part, you can - depending on your use case - either use it as @marnall showed with rex command or use it to define a search-time extraction. For example EXTRACT-uuid = stringstart\s(?<uuid>[0-9a-f]-[0-9a-f]{8}-(?:[0-9a-f]{4}-){3}[0-9a-f]{12})\sstringend