sorry, if i confused. Yes, ETC and RFG are fixed and need to add in table Log Line: 05:02:05.213 Txt 46000 008a456b37de5982_ETC_RFG: (Q056) play this message id:announcement/4637825, duration:58   i tired to get result with below query,  but not working properly  index=dg_hdgf_yrgt "(Q056) play this message" | rex field=_raw "Txt\s+46000\s+(?<IDvalue>\w+)" | rex field=_raw "announcement/(?<messagefile>\d+)" | where NOT isnull(messagefile) | mvexpand IDvalue | makemv IDvalue delim="_" | eval IDvalue=mvindex(IDvalue,0) | eval ENV=mvindex(IDvalue,1) | eval LOB=mvindex(IDvalue,2) | search LOB=RFG | table IDvalue,ENV,LOB,messagefile ... View more

log line will be 05:02:05.213 Txt 46000 008a456b37de5982_ETC_RFG: (Q056) play this message id:announcement/4637825, duration:58 expecting Table like 008a456b37de5982 ETC RFG 4637825 ... View more

I tried below syntax but it's matching entire line but I want only "ID" value /(?<ID>\w+)_ETC_RFG ... View more