Hi everyone, i've got some log like this: [2019-02-01 14:51:43][P][APPLICATION/controllers/access_controller.php:166 in access_controller::_get_authenticated_user()] [24418549=Laetitia resoludor] _get_authenticated_user -> session_start [2019-02-01 14:51:43][P][APPLICATION/mappers/exam_mapper.php:15 SQL->query_single_row() in exam_mapper::getExam()] [24418549=Laetitia resoludor] [DB] INIT: mysql:host=hidden.com;dbname=myapp [2019-02-01 14:51:43][P][APPLICATION/mappers/exam_mapper.php:15 SQL->query_single_row() in exam_mapper::getExam()] [24418549=Laetitia resoludor] [SQL][myapp/mysql] SELECT * FROM app_exam INNER JOIN app_qcm ON app_exam.id_qcm = app_qcm.id_qcm WHERE app_exam.id_exam = 4506873 [2019-02-01 14:51:43][P][APPLICATION/mappers/exam_mapper.php:15 SQL->query_single_row() in exam_mapper::getExam()] [24418549=Laetitia resoludor] [SQL][myapp/mysql] [2019-02-01 14:51:52][P][APPLICATION/mappers/exam_login_mapper.php:231 SQL->query_all() in exam_login_mapper::selectAllByIdExamWithoutXML3()] [24418549=Laetitia resoludor] [SQL][myapp/mysql] SELECT id_exam_sheet, points, note, current_question, total_question,options FROM app_exam_login INNER JOIN app_exam_sheet ON app_exam_login.id_exam_login = app_exam_sheet.id_exam_login where app_exam_login.id_exam=4506873 order by id_exam_sheet; i need to parse the [24418549=Laetitia resoludor] the field inside the box bracket (numberfield=name) can change, how i can do that? i've find a regex that can do that "[0-9]\d+=([A-Z])\w+ \w+" how i can apply that to splunk search and reporting? ... View more