https://community.splunk.com/t5/Splunk-Enterprise/extract-two-values-as-field-from-following-log-and-show-average/m-p/516986#M3175 <P>i want to extract two values from the below log message like TestUser as one field(featuename) and accounts_fetch as scenario name , and visualize the average requests for featurename +sceanrioname</P><P><SPAN>"Successfully retrieved the account details for user: KL**19**19**19**19**11**11**11** with feature: TestUser, scenario: accounts_fetch"</SPAN></P> Mon, 31 Aug 2020 09:41:02 GMT nandhiniG 2020-08-31T09:41:02Z https://community.splunk.com/t5/Splunk-Enterprise/extract-two-values-as-field-from-following-log-and-show-average/m-p/516986#M3175 <P>i want to extract two values from the below log message like TestUser as one field(featuename) and accounts_fetch as scenario name , and visualize the average requests for featurename +sceanrioname</P><P><SPAN>"Successfully retrieved the account details for user: KL**19**19**19**19**11**11**11** with feature: TestUser, scenario: accounts_fetch"</SPAN></P> Mon, 31 Aug 2020 09:41:02 GMT https://community.splunk.com/t5/Splunk-Enterprise/extract-two-values-as-field-from-following-log-and-show-average/m-p/516986#M3175 nandhiniG 2020-08-31T09:41:02Z https://community.splunk.com/t5/Splunk-Enterprise/extract-two-values-as-field-from-following-log-and-show-average/m-p/516994#M3176 <LI-CODE lang="markup">... base search | rex "feature: \"(?&lt;featurename&gt;[^,]+), scenario: (?&lt;scenarioname&gt;[^\"]+)\"" | eval combined=featurename + "+" + scenarioname</LI-CODE><P>You can now use stats to count by combined over some time period (e.g. 1hr), then another stats to take average counts for that period over a longer period (e.g. 1 day) although it isn't clear if that is what you mean by average requests</P> Mon, 31 Aug 2020 10:30:46 GMT https://community.splunk.com/t5/Splunk-Enterprise/extract-two-values-as-field-from-following-log-and-show-average/m-p/516994#M3176 ITWhisperer 2020-08-31T10:30:46Z https://community.splunk.com/t5/Splunk-Enterprise/extract-two-values-as-field-from-following-log-and-show-average/m-p/516998#M3177 <P>I used the suggested pattern with sma;ll changes for extracting field as table ,</P><P>"Successfully retrieved the account details for user:"| rex<BR />field=msg "feature: \"(?&lt;featurename&gt;[^,]+), scenario: (?&lt;scenarioname&gt;[^\"]+)\"" | table featurename scenarioname</P><P>&nbsp;</P><P>but the string value is not extracted in table i see empty tables</P> Mon, 31 Aug 2020 11:14:15 GMT https://community.splunk.com/t5/Splunk-Enterprise/extract-two-values-as-field-from-following-log-and-show-average/m-p/516998#M3177 nandhiniG 2020-08-31T11:14:15Z https://community.splunk.com/t5/Splunk-Enterprise/extract-two-values-as-field-from-following-log-and-show-average/m-p/517000#M3178 <P>The pattern had extra double quotes in which were not needed</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">"Successfully retrieved the account details for user:"| rex field=msg "feature: (?&lt;featurename&gt;[^,]+), scenario: (?&lt;scenarioname&gt;.+)" | table featurename scenarioname</LI-CODE><P>&nbsp;</P><P>&nbsp;</P> Mon, 31 Aug 2020 11:23:57 GMT https://community.splunk.com/t5/Splunk-Enterprise/extract-two-values-as-field-from-following-log-and-show-average/m-p/517000#M3178 ITWhisperer 2020-08-31T11:23:57Z https://community.splunk.com/t5/Splunk-Enterprise/extract-two-values-as-field-from-following-log-and-show-average/m-p/517002#M3179 <P>Thank you !!! it works&nbsp;</P> Mon, 31 Aug 2020 11:40:19 GMT https://community.splunk.com/t5/Splunk-Enterprise/extract-two-values-as-field-from-following-log-and-show-average/m-p/517002#M3179 nandhiniG 2020-08-31T11:40:19Z