https://community.splunk.com/t5/Splunk-Enterprise/How-do-we-extract-field-header-to-a-value-that-changes-and/m-p/660880#M17650 <P>Try this query.&nbsp; The transpose command "rotates" the results table into the desired format.</P><LI-CODE lang="markup">| makeresults | eval data="1997-10-10 15:35:13.046, CREATE_DATE=\"1997-10-10 13:36:22.742479\", LAST_UPDATE_DATE=\"1997-10-10 13:36:22.74\", ACTION=\"externalFactor\", STATUS=\"info\", DATA_STRING=\"&lt;?xml version=\"1.0\" encoding=\"UTF-8\"?&gt;&lt;externalFactor&gt;&lt;current&gt;parker&lt;/current&gt;&lt;keywordp&gt;&lt;encrypted&gt;true&lt;/encrypted&gt;&lt;keywordp&gt;******&lt;/keywordp&gt;&lt;/keywordp&gt;&lt;boriskhan&gt;boriskhan1-CMX_PRTY&lt;/boriskhan&gt;&lt;/externalFactor&gt;\" 1997-10-10 15:35:13.046, CREATE_DATE=\"1997-10-10 13:03:58.388887\", LAST_UPDATE_DATE=\"1997-10-10 13:03:58.388\", ACTION=\"externalFactor.RESPONSE\", STATUS=\"info\", DATA_STRING=\"&lt;?xml version=\"1.0\" encoding=\"UTF-8\"?&gt;&lt;externalFactorReturn&gt;&lt;roleName&gt;ROLE.CustomerManager&lt;/roleName&gt;&lt;roleName&gt;ROLE.DataSteward&lt;/roleName&gt;&lt;pepres&gt;false&lt;/pepres&gt;&lt;externalFactor&gt;false&lt;/externalFactor&gt;&lt;parkeristrator&gt;true&lt;/parkeristrator&gt;&lt;current&gt;parker&lt;/current&gt;&lt;/externalFactorReturn&gt;" | eval data=split(data," ") | mvexpand data | eval _raw=data | fields - data ``` Everything above sets up demo data. Delete IRL ``` ``` Extract keys and values ``` | rex max_match=0 "&lt;(?&lt;key&gt;[^&gt;]+)&gt;(?&lt;value&gt;[^&lt;]+)&lt;\/\1&gt;" ``` Match keys and values so they stayed paired during mvexpand ``` | eval pairs=mvzip(key,value) | mvexpand pairs ``` Separate key from value ``` | eval pairs=split(pairs,",") ``` Define key=value result ``` | eval key=mvindex(pairs,0), value=mvindex(pairs,1) | fields key,value | fields - _* | transpose 0 header_field=key</LI-CODE> Mon, 16 Oct 2023 14:26:17 GMT richgalloway 2023-10-16T14:26:17Z https://community.splunk.com/t5/Splunk-Enterprise/How-do-we-extract-field-header-to-a-value-that-changes-and/m-p/660573#M17610 <P>I need help in regex for key and value to be extracted from raw data, below regex working with xml_kv_extraction. While its working in regex101 but not in splunk with rex, any suggesstions.</P><P>&lt;(?&lt;field_header&gt;[^&gt;]+)&gt;(?&lt;field_value&gt;[^&lt;]+)&lt;\/\1&gt;<A title="Working regex in regex101" href="https://regex101.com/r/IBsMhK/1" target="_self">https://regex101.com/r/IBsMhK/1</A>&nbsp;</P><P>eg: events with</P><P>&lt;field_title&gt;&lt;field_header1&gt;field_value1&lt;/field_header1&gt;&lt;field_header2&gt;field_value2&lt;/field_header2&gt;&lt;/field_title&gt;</P><P>Should appear fields as below.</P><P>field title =&nbsp;&lt;field_header1&gt;field_value1&lt;/field_header1&gt;&lt;field_header2&gt;field_value2&lt;/field_header2&gt;</P><P>field_header1=field_value1</P><P>field_header2=field_value2</P><P>&nbsp;</P><LI-CODE lang="markup">1997-10-10 15:35:13.046, CREATE_DATE="1997-10-10 13:36:22.742479", LAST_UPDATE_DATE="1997-10-10 13:36:22.74", ACTION="externalFactor", STATUS="info", DATA_STRING="&lt;?xml version="1.0" encoding="UTF-8"?&gt; &lt;externalFactor&gt;&lt;current&gt;parker&lt;/current&gt;&lt;keywordp&gt;&lt;encrypted&gt;true&lt;/encrypted&gt;&lt;keywordp&gt;******&lt;/keywordp&gt;&lt;/keywordp&gt;&lt;boriskhan&gt;boriskhan1-CMX_PRTY&lt;/boriskhan&gt;&lt;/externalFactor&gt;" 1997-10-10 15:35:13.046, CREATE_DATE="1997-10-10 13:03:58.388887", LAST_UPDATE_DATE="1997-10-10 13:03:58.388", ACTION="externalFactor.RESPONSE", STATUS="info", DATA_STRING="&lt;?xml version="1.0" encoding="UTF-8"?&gt; &lt;externalFactorReturn&gt;&lt;roleName&gt;ROLE.CustomerManager&lt;/roleName&gt;&lt;roleName&gt;ROLE.DataSteward&lt;/roleName&gt;&lt;pepres&gt;false&lt;/pepres&gt;&lt;externalFactor&gt;false&lt;/externalFactor&gt;&lt;parkeristrator&gt;true&lt;/parkeristrator&gt;&lt;current&gt;parker&lt;/current&gt;&lt;/externalFactorReturn&gt;" 1997-10-10 15:35:13.046, CREATE_DATE="1997-10-10 13:03:58.384984", LAST_UPDATE_DATE="1997-10-10 13:03:58.384", ACTION="externalFactor.RESPONSE", STATUS="info", DATA_STRING="&lt;?xml version="1.0" encoding="UTF-8"?&gt; &lt;externalFactorReturn&gt;&lt;roleName&gt;ROLE.CustomerManager&lt;/roleName&gt;&lt;roleName&gt;ROLE.DataSteward&lt;/roleName&gt;&lt;pepres&gt;false&lt;/pepres&gt;&lt;externalFactor&gt;false&lt;/externalFactor&gt;&lt;parkeristrator&gt;true&lt;/parkeristrator&gt;&lt;current&gt;parker&lt;/current&gt;&lt;/externalFactorReturn&gt;" 1997-10-10 15:35:13.046, CREATE_DATE="1997-10-10 13:03:58.384947", LAST_UPDATE_DATE="1997-10-10 13:03:58.384", ACTION="externalFactor.RESPONSE", STATUS="info", DATA_STRING="&lt;?xml version="1.0" encoding="UTF-8"?&gt; &lt;externalFactorReturn&gt;&lt;roleName&gt;ROLE.CustomerManager&lt;/roleName&gt;&lt;roleName&gt;ROLE.DataSteward&lt;/roleName&gt;&lt;pepres&gt;false&lt;/pepres&gt;&lt;externalFactor&gt;false&lt;/externalFactor&gt;&lt;parkeristrator&gt;true&lt;/parkeristrator&gt;&lt;current&gt;parker&lt;/current&gt;&lt;/externalFactorReturn&gt;" 1997-10-10 15:35:13.046, CREATE_DATE="1997-10-10 13:03:58.378965", LAST_UPDATE_DATE="1997-10-10 13:03:58.378", ACTION="externalFactor", STATUS="info", DATA_STRING="&lt;?xml version="1.0" encoding="UTF-8"?&gt; &lt;externalFactor&gt;&lt;current&gt;parker&lt;/current&gt;&lt;keywordp&gt;&lt;encrypted&gt;true&lt;/encrypted&gt;&lt;keywordp&gt;******&lt;/keywordp&gt;&lt;/keywordp&gt;&lt;boriskhan&gt;boriskhan1-CMX_PRTY&lt;/boriskhan&gt;&lt;/externalFactor&gt;" 1997-10-10 15:35:13.046, CREATE_DATE="1997-10-10 13:03:58.374242", LAST_UPDATE_DATE="1997-10-10 13:03:58.373", ACTION="externalFactor", STATUS="info", DATA_STRING="&lt;?xml version="1.0" encoding="UTF-8"?&gt; &lt;externalFactor&gt;&lt;current&gt;parker&lt;/current&gt;&lt;keywordp&gt;&lt;encrypted&gt;true&lt;/encrypted&gt;&lt;keywordp&gt;******&lt;/keywordp&gt;&lt;/keywordp&gt;&lt;boriskhan&gt;boriskhan1-CMX_PRTY&lt;/boriskhan&gt;&lt;/externalFactor&gt;" 1997-10-10 15:35:13.046, CREATE_DATE="1997-10-10 13:03:58.374235", LAST_UPDATE_DATE="1997-10-10 13:03:58.373", ACTION="externalFactor", STATUS="info", DATA_STRING="&lt;?xml version="1.0" encoding="UTF-8"?&gt; &lt;externalFactor&gt;&lt;current&gt;parker&lt;/current&gt;&lt;keywordp&gt;&lt;encrypted&gt;true&lt;/encrypted&gt;&lt;keywordp&gt;******&lt;/keywordp&gt;&lt;/keywordp&gt;&lt;boriskhan&gt;boriskhan1-CMX_PRTY&lt;/boriskhan&gt;&lt;/externalFactor&gt;" 1997-10-10 15:35:13.046, CREATE_DATE="1997-10-10 13:03:58.325953", LAST_UPDATE_DATE="1997-10-10 13:03:58.325", ACTION="externalFactor.RESPONSE", STATUS="info", DATA_STRING="&lt;?xml version="1.0" encoding="UTF-8"?&gt; &lt;externalFactorReturn&gt;&lt;roleName&gt;ROLE.CustomerManager&lt;/roleName&gt;&lt;roleName&gt;ROLE.DataSteward&lt;/roleName&gt;&lt;pepres&gt;false&lt;/pepres&gt;&lt;externalFactor&gt;false&lt;/externalFactor&gt;&lt;parkeristrator&gt;true&lt;/parkeristrator&gt;&lt;current&gt;parker&lt;/current&gt;&lt;/externalFactorReturn&gt;"</LI-CODE><P>&nbsp;</P><P>&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/242773">@priit</a>&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/260554">@PriA</a>&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/162780">@yonmost</a>&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/60751">@jameshgibson</a>&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/106492">@bnikhil0584</a>&nbsp;</P> Thu, 12 Oct 2023 18:18:04 GMT https://community.splunk.com/t5/Splunk-Enterprise/How-do-we-extract-field-header-to-a-value-that-changes-and/m-p/660573#M17610 sandeepreddy947 2023-10-12T18:18:04Z https://community.splunk.com/t5/Splunk-Enterprise/How-do-we-extract-field-header-to-a-value-that-changes-and/m-p/660575#M17612 <P>Where in Splunk are you using this regex?&nbsp; If it's in transforms.conf then please share the full stanza.</P> Thu, 12 Oct 2023 18:38:27 GMT https://community.splunk.com/t5/Splunk-Enterprise/How-do-we-extract-field-header-to-a-value-that-changes-and/m-p/660575#M17612 richgalloway 2023-10-12T18:38:27Z https://community.splunk.com/t5/Splunk-Enterprise/How-do-we-extract-field-header-to-a-value-that-changes-and/m-p/660576#M17613 <P>i'm trying to find right regex for Splunk search time extraction first, via Splunk GUI.</P> Thu, 12 Oct 2023 18:44:22 GMT https://community.splunk.com/t5/Splunk-Enterprise/How-do-we-extract-field-header-to-a-value-that-changes-and/m-p/660576#M17613 sandeepreddy947 2023-10-12T18:44:22Z https://community.splunk.com/t5/Splunk-Enterprise/How-do-we-extract-field-header-to-a-value-that-changes-and/m-p/660578#M17614 <P>I have regex in description and also url from regex101.com. its not working in Splunk when i used rex with SPL query.</P><LI-CODE lang="markup">index=universe sourcetype=planet | rex field=_raw "&lt;(?&lt;key&gt;[^&gt;]+)&gt; (?&lt;value&gt;[^&lt;]+)&lt;\/\1&gt;"</LI-CODE><P>Results i got,&nbsp;</P><P>&nbsp;</P><P>key</P><P>current<BR />encrypted<BR />keywordp<BR />boriskhan<BR />rolename<BR />.<BR />.<BR /><BR /><BR />value<BR /><BR />parker<BR />true<BR />******<BR />role.customermanager<BR />false<BR />.<BR />.<BR />.</P> Thu, 12 Oct 2023 18:51:54 GMT https://community.splunk.com/t5/Splunk-Enterprise/How-do-we-extract-field-header-to-a-value-that-changes-and/m-p/660578#M17614 sandeepreddy947 2023-10-12T18:51:54Z https://community.splunk.com/t5/Splunk-Enterprise/How-do-we-extract-field-header-to-a-value-that-changes-and/m-p/660579#M17615 <P>Result i need from raw data is,<BR /><BR /><SPAN>current=parker</SPAN><BR /><SPAN>encrypted=true</SPAN><BR /><SPAN>keywordp=******</SPAN><BR /><SPAN>boriskhan=boriskhan1-cmx_prty</SPAN><BR /><SPAN>rolename=role.customermanager<BR /></SPAN>.<BR />.<BR />.<BR />.</P> Thu, 12 Oct 2023 18:55:07 GMT https://community.splunk.com/t5/Splunk-Enterprise/How-do-we-extract-field-header-to-a-value-that-changes-and/m-p/660579#M17615 sandeepreddy947 2023-10-12T18:55:07Z https://community.splunk.com/t5/Splunk-Enterprise/How-do-we-extract-field-header-to-a-value-that-changes-and/m-p/660612#M17621 <P>You need to extract special capture groups from each match called _KEY_1 and _VAL_1</P><P>&nbsp;</P> Fri, 13 Oct 2023 06:03:39 GMT https://community.splunk.com/t5/Splunk-Enterprise/How-do-we-extract-field-header-to-a-value-that-changes-and/m-p/660612#M17621 PickleRick 2023-10-13T06:03:39Z https://community.splunk.com/t5/Splunk-Enterprise/How-do-we-extract-field-header-to-a-value-that-changes-and/m-p/660656#M17632 <P>See if this run-anywhere example query helps.</P><LI-CODE lang="markup">| makeresults | eval data="1997-10-10 15:35:13.046, CREATE_DATE=\"1997-10-10 13:36:22.742479\", LAST_UPDATE_DATE=\"1997-10-10 13:36:22.74\", ACTION=\"externalFactor\", STATUS=\"info\", DATA_STRING=\"&lt;?xml version=\"1.0\" encoding=\"UTF-8\"?&gt;&lt;externalFactor&gt;&lt;current&gt;parker&lt;/current&gt;&lt;keywordp&gt;&lt;encrypted&gt;true&lt;/encrypted&gt;&lt;keywordp&gt;******&lt;/keywordp&gt;&lt;/keywordp&gt;&lt;boriskhan&gt;boriskhan1-CMX_PRTY&lt;/boriskhan&gt;&lt;/externalFactor&gt;\" 1997-10-10 15:35:13.046, CREATE_DATE=\"1997-10-10 13:03:58.388887\", LAST_UPDATE_DATE=\"1997-10-10 13:03:58.388\", ACTION=\"externalFactor.RESPONSE\", STATUS=\"info\", DATA_STRING=\"&lt;?xml version=\"1.0\" encoding=\"UTF-8\"?&gt;&lt;externalFactorReturn&gt;&lt;roleName&gt;ROLE.CustomerManager&lt;/roleName&gt;&lt;roleName&gt;ROLE.DataSteward&lt;/roleName&gt;&lt;pepres&gt;false&lt;/pepres&gt;&lt;externalFactor&gt;false&lt;/externalFactor&gt;&lt;parkeristrator&gt;true&lt;/parkeristrator&gt;&lt;current&gt;parker&lt;/current&gt;&lt;/externalFactorReturn&gt;" | eval data=split(data," ") | mvexpand data | eval _raw=data | fields - data ``` Everything above sets up demo data. Delete IRL ``` ``` Extract keys and values ``` | rex max_match=0 "&lt;(?&lt;key&gt;[^&gt;]+)&gt;(?&lt;value&gt;[^&lt;]+)&lt;\/\1&gt;" ``` Match keys and values so they stayed paired during mvexpand ``` | eval pairs=mvzip(key,value) | mvexpand pairs ``` Separate key from value ``` | eval pairs=split(pairs,",") ``` Define key=value result ``` | eval pairs=mvindex(pairs,0) . "=" . mvindex(pairs,1) | table pairs</LI-CODE> Fri, 13 Oct 2023 12:17:50 GMT https://community.splunk.com/t5/Splunk-Enterprise/How-do-we-extract-field-header-to-a-value-that-changes-and/m-p/660656#M17632 richgalloway 2023-10-13T12:17:50Z https://community.splunk.com/t5/Splunk-Enterprise/How-do-we-extract-field-header-to-a-value-that-changes-and/m-p/660871#M17649 <P>Its great, i have all key as in field_header and all valuesas in field_value assigned to a field called paris. So, here all key and value extracted in one field called paris. But, i'm trying to extract field headers and field values from raw data. As to search for SPL query "index=index_name sourcetype=sourcetype |table current, encrypted, keywordp,boriskhan, rolename, prepres,&nbsp;externalFactor, parkeristrator".</P><P>&nbsp;</P><P>so, what i got is field_header as paris and field_values as current=parker,&nbsp; encrypted=true,&nbsp; .&nbsp; .&nbsp; .&nbsp; .&nbsp;</P><TABLE><TBODY><TR><TD><STRONG><FONT face="arial black,avant garde" color="#808080">paris</FONT></STRONG></TD></TR><TR><TD width="267.378px" height="25px">current=parker</TD></TR><TR><TD width="267.378px" height="25px">encrypted=true</TD></TR><TR><TD width="267.378px" height="25px">keywordp=******</TD></TR><TR><TD width="267.378px" height="25px">boriskhan=1-CMX_PRTY</TD></TR><TR><TD width="267.378px" height="25px">roleName=ROLE.CustomerManager</TD></TR><TR><TD width="267.378px" height="25px">pepres=false</TD></TR><TR><TD width="267.378px" height="25px">externalFactor=false</TD></TR><TR><TD width="267.378px" height="25px">parkeristrator=true</TD></TR><TR><TD width="267.378px" height="25px">current=parker</TD></TR></TBODY></TABLE><P>&nbsp;</P><P>What goal is, field_header_1 is current, field_header_2 is encrypted, field_header_3 is keyword as below and to get field_headers showup in Splunk interesting fields with its values.</P><TABLE width="100%"><TBODY><TR><TD width="14.285714285714286%" height="25px"><FONT face="arial black,avant garde"><STRONG><FONT size="4">current</FONT></STRONG></FONT></TD><TD width="14.285714285714286%" height="25px"><FONT face="arial black,avant garde"><STRONG><FONT size="4">encrypted</FONT></STRONG></FONT></TD><TD width="14.285714285714286%" height="25px"><FONT face="arial black,avant garde"><STRONG><FONT size="4">keywordp</FONT></STRONG></FONT></TD><TD width="14.285714285714286%" height="25px"><FONT face="arial black,avant garde"><STRONG><FONT size="4">boriskhan</FONT></STRONG></FONT></TD><TD width="14.285714285714286%" height="25px"><FONT face="arial black,avant garde"><STRONG><FONT size="4">roleName</FONT></STRONG></FONT></TD><TD width="14.285714285714286%" height="25px"><FONT face="arial black,avant garde"><STRONG><FONT size="4">pepres</FONT></STRONG></FONT></TD><TD width="1.262626262626263%" height="25px"><FONT face="arial black,avant garde"><STRONG><FONT size="4">externalFactor</FONT></STRONG></FONT></TD></TR><TR><TD width="14.285714285714286%" height="47px">parker</TD><TD width="14.285714285714286%" height="47px">true</TD><TD width="14.285714285714286%" height="47px">******</TD><TD width="14.285714285714286%" height="47px">1-CMX_PRTY</TD><TD width="14.285714285714286%" height="47px">ROLE.CustomerManager</TD><TD width="14.285714285714286%" height="47px">false</TD><TD width="1.262626262626263%" height="47px">false</TD></TR></TBODY></TABLE><P>&nbsp;</P> Mon, 16 Oct 2023 13:13:41 GMT https://community.splunk.com/t5/Splunk-Enterprise/How-do-we-extract-field-header-to-a-value-that-changes-and/m-p/660871#M17649 sandeepreddy947 2023-10-16T13:13:41Z https://community.splunk.com/t5/Splunk-Enterprise/How-do-we-extract-field-header-to-a-value-that-changes-and/m-p/660880#M17650 <P>Try this query.&nbsp; The transpose command "rotates" the results table into the desired format.</P><LI-CODE lang="markup">| makeresults | eval data="1997-10-10 15:35:13.046, CREATE_DATE=\"1997-10-10 13:36:22.742479\", LAST_UPDATE_DATE=\"1997-10-10 13:36:22.74\", ACTION=\"externalFactor\", STATUS=\"info\", DATA_STRING=\"&lt;?xml version=\"1.0\" encoding=\"UTF-8\"?&gt;&lt;externalFactor&gt;&lt;current&gt;parker&lt;/current&gt;&lt;keywordp&gt;&lt;encrypted&gt;true&lt;/encrypted&gt;&lt;keywordp&gt;******&lt;/keywordp&gt;&lt;/keywordp&gt;&lt;boriskhan&gt;boriskhan1-CMX_PRTY&lt;/boriskhan&gt;&lt;/externalFactor&gt;\" 1997-10-10 15:35:13.046, CREATE_DATE=\"1997-10-10 13:03:58.388887\", LAST_UPDATE_DATE=\"1997-10-10 13:03:58.388\", ACTION=\"externalFactor.RESPONSE\", STATUS=\"info\", DATA_STRING=\"&lt;?xml version=\"1.0\" encoding=\"UTF-8\"?&gt;&lt;externalFactorReturn&gt;&lt;roleName&gt;ROLE.CustomerManager&lt;/roleName&gt;&lt;roleName&gt;ROLE.DataSteward&lt;/roleName&gt;&lt;pepres&gt;false&lt;/pepres&gt;&lt;externalFactor&gt;false&lt;/externalFactor&gt;&lt;parkeristrator&gt;true&lt;/parkeristrator&gt;&lt;current&gt;parker&lt;/current&gt;&lt;/externalFactorReturn&gt;" | eval data=split(data," ") | mvexpand data | eval _raw=data | fields - data ``` Everything above sets up demo data. Delete IRL ``` ``` Extract keys and values ``` | rex max_match=0 "&lt;(?&lt;key&gt;[^&gt;]+)&gt;(?&lt;value&gt;[^&lt;]+)&lt;\/\1&gt;" ``` Match keys and values so they stayed paired during mvexpand ``` | eval pairs=mvzip(key,value) | mvexpand pairs ``` Separate key from value ``` | eval pairs=split(pairs,",") ``` Define key=value result ``` | eval key=mvindex(pairs,0), value=mvindex(pairs,1) | fields key,value | fields - _* | transpose 0 header_field=key</LI-CODE> Mon, 16 Oct 2023 14:26:17 GMT https://community.splunk.com/t5/Splunk-Enterprise/How-do-we-extract-field-header-to-a-value-that-changes-and/m-p/660880#M17650 richgalloway 2023-10-16T14:26:17Z https://community.splunk.com/t5/Splunk-Enterprise/How-do-we-extract-field-header-to-a-value-that-changes-and/m-p/661049#M17656 <P>But, i'm still not able to view extracted field_header properly in interesting fields. i can only view "key" and "value"&nbsp; in interesting fields. I'm searching in verbose mode.</P> Tue, 17 Oct 2023 16:14:48 GMT https://community.splunk.com/t5/Splunk-Enterprise/How-do-we-extract-field-header-to-a-value-that-changes-and/m-p/661049#M17656 sandeepreddy947 2023-10-17T16:14:48Z https://community.splunk.com/t5/Splunk-Enterprise/How-do-we-extract-field-header-to-a-value-that-changes-and/m-p/661053#M17657 <P>Only the key and value fields are visible because that is what the <FONT face="courier new,courier">fields</FONT> command does.&nbsp; If you prefer different names then change "key" to "field_header" throughout the query.&nbsp; Likewise for "value".</P> Tue, 17 Oct 2023 16:45:13 GMT https://community.splunk.com/t5/Splunk-Enterprise/How-do-we-extract-field-header-to-a-value-that-changes-and/m-p/661053#M17657 richgalloway 2023-10-17T16:45:13Z https://community.splunk.com/t5/Splunk-Enterprise/How-do-we-extract-field-header-to-a-value-that-changes-and/m-p/661389#M17676 <P>I've tried identifying all individual fields in events and extracted using rex.</P><P>&nbsp;</P><LI-CODE lang="markup">| rex "\s\&lt;externalFactor\&gt;(?&lt;externalFactor&gt;.*)\&lt;\/externalFactor\&gt;" | rex "\s\&lt;externalFactorReturn\&gt;(?&lt;externalFactorReturn&gt;.*)\&lt;\/externalFactorReturn\&gt;" | rex "\&lt;current\&gt;(?&lt;current&gt;.*)\&lt;\/current\&gt;" | rex "\&lt;encrypted\&gt;(?&lt;encrypted&gt;.*)\&lt;\/encrypted\&gt;" | rex "\&lt;keywordp\&gt;(?&lt;keywordp&gt;.*)\&lt;\/keywordp\&gt;" | rex "\&lt;pepres\&gt;(?&lt;pepres&gt;.*)\&lt;\/pepres\&gt;" | rex "\&lt;roleName\&gt;(?&lt;roleName&gt;.*)\&lt;\/roleName\&gt;" | rex "\&lt;boriskhan\&gt;(?&lt;boriskhan&gt;.*)\&lt;\/boriskhan\&gt;" | rex "\&lt;sload\&gt;(?&lt;sload&gt;.*)\&lt;\/sload\&gt;" | rex "\&lt;externalFactor\&gt;(?&lt;externalFactor&gt;.*)\&lt;\/externalFactor\&gt;" | rex "\&lt;parkeristrator\&gt;(?&lt;parkeristrator&gt;.*)\&lt;\/parkeristrator\&gt;" </LI-CODE><P>&nbsp;</P> Thu, 19 Oct 2023 14:17:38 GMT https://community.splunk.com/t5/Splunk-Enterprise/How-do-we-extract-field-header-to-a-value-that-changes-and/m-p/661389#M17676 sandeepreddy947 2023-10-19T14:17:38Z