https://community.splunk.com/t5/Splunk-Enterprise/How-to-Split-correspondence-of-multi-value-fields/m-p/606595#M13407 These two values are the log content automatically extracted by "add on". The corresponding value of "Recipient" is a field, and the corresponding value is the recipient connected by multiple space characters. The complete value of "status" is this content Fri, 22 Jul 2022 06:26:28 GMT spl_stu 2022-07-22T06:26:28Z https://community.splunk.com/t5/Splunk-Enterprise/How-to-Split-correspondence-of-multi-value-fields/m-p/606592#M13404 <P><FONT>Please help answer this question, thank you：<BR /><BR />For these two multivalued fields, you want the value in the "Recipient" field to correspond to the value in the "recipient_status". If the receipt is successful, it corresponds to ";", If it fails, it corresponds to "'550 5.1.1 resolver.adr.recipnotfound, not found'". Is there a way to segment the values of these two fields and make one-to-one correspondence?<BR /><BR />The following are the values corresponding to these two fields<BR /><SPAN class="">Recipient=</SPAN><SPAN>"</SPAN><SPAN class="">@000.com</SPAN> <SPAN class="">@123.com</SPAN> <SPAN class="">@456.com</SPAN> <SPAN class="">@789.com</SPAN><SPAN>",<BR /></SPAN><SPAN class="">recipient_status=</SPAN><SPAN>";;'</SPAN><SPAN class="">550</SPAN> <SPAN class="">5.1.1</SPAN> <SPAN class="">RESOLVER.ADR.RecipNotFound</SPAN><SPAN>; </SPAN><SPAN class="">not</SPAN> <SPAN class="">found</SPAN></FONT><SPAN>';"<BR /><BR /></SPAN></P> Fri, 22 Jul 2022 14:14:46 GMT https://community.splunk.com/t5/Splunk-Enterprise/How-to-Split-correspondence-of-multi-value-fields/m-p/606592#M13404 spl_stu 2022-07-22T14:14:46Z https://community.splunk.com/t5/Splunk-Enterprise/How-to-Split-correspondence-of-multi-value-fields/m-p/606594#M13406 <P>The recipient appears to be space delimited - how are the status values delimited?</P><P>Is what you have given as your example exactly as it is in the raw event or are these representations of the event field post extraction?</P><P>Has the data been extracted to a multi-value field (in the Splunk sense) already or are you looking for help to do that extraction?</P> Fri, 22 Jul 2022 06:21:20 GMT https://community.splunk.com/t5/Splunk-Enterprise/How-to-Split-correspondence-of-multi-value-fields/m-p/606594#M13406 ITWhisperer 2022-07-22T06:21:20Z https://community.splunk.com/t5/Splunk-Enterprise/How-to-Split-correspondence-of-multi-value-fields/m-p/606595#M13407 These two values are the log content automatically extracted by "add on". The corresponding value of "Recipient" is a field, and the corresponding value is the recipient connected by multiple space characters. The complete value of "status" is this content Fri, 22 Jul 2022 06:26:28 GMT https://community.splunk.com/t5/Splunk-Enterprise/How-to-Split-correspondence-of-multi-value-fields/m-p/606595#M13407 spl_stu 2022-07-22T06:26:28Z https://community.splunk.com/t5/Splunk-Enterprise/How-to-Split-correspondence-of-multi-value-fields/m-p/606597#M13408 <P>Try something like this (this assumes that the status does not have a semi-colon in)</P><LI-CODE lang="markup">| rex field=recipient max_match=0 "(?&lt;rcpt&gt;\S+)" | rex recipient_status max_match=0 "(?i)(?&lt;rcptstatus&gt;(;|'550 5\.1\.1 resolver\.adr\.recipnotfound, not found'))" | eval recipient_plus_status=mvzip(rcpt, rcptstatus)</LI-CODE> Fri, 22 Jul 2022 06:41:17 GMT https://community.splunk.com/t5/Splunk-Enterprise/How-to-Split-correspondence-of-multi-value-fields/m-p/606597#M13408 ITWhisperer 2022-07-22T06:41:17Z https://community.splunk.com/t5/Splunk-Enterprise/How-to-Split-correspondence-of-multi-value-fields/m-p/606598#M13409 OK, thank you very much for your answer. I'll test it now Fri, 22 Jul 2022 06:43:48 GMT https://community.splunk.com/t5/Splunk-Enterprise/How-to-Split-correspondence-of-multi-value-fields/m-p/606598#M13409 spl_stu 2022-07-22T06:43:48Z https://community.splunk.com/t5/Splunk-Enterprise/How-to-Split-correspondence-of-multi-value-fields/m-p/606602#M13412 <P><BR />Thank you very much for your answer. My problem has been solved</P> Fri, 22 Jul 2022 07:17:59 GMT https://community.splunk.com/t5/Splunk-Enterprise/How-to-Split-correspondence-of-multi-value-fields/m-p/606602#M13412 spl_stu 2022-07-22T07:17:59Z