@richgalloway  thanks for replay the | rex is working as it should the problem start when I'm trying to save the Regex. and this is cause by the fact i need to save the regex from the "source" field and no from the "_raw" field.
The main goal is to add another field in all searches without using the | rex command every time. 

Hi

you must use transforms to get this done. 

1. Create Field transformations on your app e.g.
   1. get_directory_from_linux_audit_source
   2. Type regex-based
   3. Regular expression like: /log/([^/]+)/
   4. Format: directory::$1
   5. Source key: source
   6. Save and give needed permissions like app and roles which can use it
2. Create Field extractions 
   1. Name: <what ever you want to call it>
   2. Apply to: sourcetype named: e.g. linux_audit or what ever this is in your node
   3. Type: Uses transforms
   4. Extraction/Transforms: <from above like get_directory_from_linux_audit_source>
   5. Save and give needed permission like above
3. Wait that this will be applied to all needed places on SCP
4. Use it like: index=<your index> sourcetype=<your sourcetype> <Your field name>=*

r. Ismo

@isoutamo  hey thanks for the replay. 
I've been trying to create the following two you shared, but somehow i still don't see the the field in the field section I'm sharing the process I've taking. 
let me know if I'm missing something. 

hey @gcusello  thanks for your replay.
It seems like the capture do not capture any of the fields i needed, I've tried to save it an even to play a bit with the syntax.  but still no success. 

Hi @tamir ,

my solution is to save the extraction in an field extraction,

if you want to use the regex in a search, you have to add it to a search:

index=your_index
| rex field=source "Snowflake\/(?<folder>[^\/]+)"

Ciao.

Giuseppe