Hi, folks. I am stumped on this matter. My goal is extracting ABC, BCE, & CDE from ABCDE into a multivalue field. So far, I have played around with regex101.com and got these 2 regex: (?<field_1>(?=(\w{3}))) (?<field_2>(?<=(\w{3}))) Both seem to work on regex101.com But the thing is, I always get empty results in Splunk. I was using this command | makeresults | eval sample="ABCDE" | rex field=sample max_match=0 "(?<field_1>(?=(\w{3})))" I understand that I was using positive lookahead and positive lookbehind. I opt to use one of them, since I'm not aware of how many characters the original field would have. So, either lookahead or lookbehind seems to be the appropriate method to do. Are these two methods available in Splunk? Or am I doing this in a wrong way? Please advise. Thank you 🙂
... View more