https://community.splunk.com/t5/Splunk-Enterprise/Combine-rex-field/m-p/555319#M6097 <P>how do i combine both these rex field into one and display the count?</P><P>index=abc<BR />"exception":"CommonApplicationException"<BR />| rex field=_raw "Exception\:\s(?=ABC)(?&lt;ABC_CODE&gt;[^\:]+)\:(?&lt;Message&gt;[^\"]+)"<BR />| stats count by ABC_CODE, Message<BR /><BR />index=abc<BR />ABC-*<BR />|rex field=_raw "errors\"\:\[\{\"code\"\:\"(?P&lt;ABC_Code&gt;ABC\-\d+)\"\,\"message\"\:\"(?P&lt;Message&gt;[^\"]+)" | where ABC_Code!="" | search ABC_Code=* | Stats count by ABC_Code, Message</P> Thu, 10 Jun 2021 14:38:11 GMT DougiieDee 2021-06-10T14:38:11Z https://community.splunk.com/t5/Splunk-Enterprise/Combine-rex-field/m-p/555319#M6097 <P>how do i combine both these rex field into one and display the count?</P><P>index=abc<BR />"exception":"CommonApplicationException"<BR />| rex field=_raw "Exception\:\s(?=ABC)(?&lt;ABC_CODE&gt;[^\:]+)\:(?&lt;Message&gt;[^\"]+)"<BR />| stats count by ABC_CODE, Message<BR /><BR />index=abc<BR />ABC-*<BR />|rex field=_raw "errors\"\:\[\{\"code\"\:\"(?P&lt;ABC_Code&gt;ABC\-\d+)\"\,\"message\"\:\"(?P&lt;Message&gt;[^\"]+)" | where ABC_Code!="" | search ABC_Code=* | Stats count by ABC_Code, Message</P> Thu, 10 Jun 2021 14:38:11 GMT https://community.splunk.com/t5/Splunk-Enterprise/Combine-rex-field/m-p/555319#M6097 DougiieDee 2021-06-10T14:38:11Z https://community.splunk.com/t5/Splunk-Enterprise/Combine-rex-field/m-p/555339#M6101 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/235178">@DougiieDee</a>&nbsp;</P><P>Can you please try this?</P><LI-CODE lang="markup">index=abc ("exception":"CommonApplicationException" OR ABC-*) | rex field=_raw "Exception\:\s(?=ABC)(?&lt;ABC_CODE_1&gt;[^\:]+)\:(?&lt;Message_1&gt;[^\"]+)" |rex field=_raw "errors\"\:\[\{\"code\"\:\"(?P&lt;ABC_CODE_2&gt;ABC\-\d+)\"\,\"message\"\:\"(?P&lt;Message_2&gt;[^\"]+)" | eval ABC_CODE=if(isnotnull(ABC_CODE_1),ABC_CODE_1,ABC_CODE_2) | eval Message=if(isnotnull(Message),Message_1,Message_2) | where ABC_CODE!="" | stats count by ABC_CODE, Message</LI-CODE><P>&nbsp;</P><P>Thanks<BR />KV<BR />▄︻̷̿┻̿═━一<BR /><BR />If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.</P> Thu, 10 Jun 2021 16:03:31 GMT https://community.splunk.com/t5/Splunk-Enterprise/Combine-rex-field/m-p/555339#M6101 kamlesh_vaghela 2021-06-10T16:03:31Z https://community.splunk.com/t5/Splunk-Enterprise/Combine-rex-field/m-p/555368#M6104 <P>The results are only showing from this&nbsp;</P><PRE>|rex field=_raw "errors\"\:\[\{\"code\"\:\"(?P&lt;ABC_CODE_2&gt;ABC\-\d+)\"\,\"message\"\:\"(?P&lt;Message_2&gt;[^\"]+)" </PRE><P>other rex field didnt show the results.</P> Thu, 10 Jun 2021 18:52:06 GMT https://community.splunk.com/t5/Splunk-Enterprise/Combine-rex-field/m-p/555368#M6104 DougiieDee 2021-06-10T18:52:06Z https://community.splunk.com/t5/Splunk-Enterprise/Combine-rex-field/m-p/555419#M6107 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/235178">@DougiieDee</a>&nbsp;</P><P>Can you please expand timerange if possible?</P><P>Meanwhile can you please share sample events from both search?</P><P>&nbsp;</P> Fri, 11 Jun 2021 04:14:30 GMT https://community.splunk.com/t5/Splunk-Enterprise/Combine-rex-field/m-p/555419#M6107 kamlesh_vaghela 2021-06-11T04:14:30Z https://community.splunk.com/t5/Splunk-Enterprise/Combine-rex-field/m-p/555483#M6111 <P><SPAN>1. {<SPAN class="t">\</SPAN>"<SPAN class="t">errors\</SPAN>"<SPAN class="t">:</SPAN>[{<SPAN class="t">\</SPAN>"<SPAN class="t">code\</SPAN>"\</SPAN><SPAN>"<SPAN class="t"><SPAN class="t a">ABC-</SPAN>1000\</SPAN>",<SPAN class="t">\</SPAN>"<SPAN class="t">message\</SPAN>"\</SPAN><SPAN>"<SPAN class="t">Sorry</SPAN>&nbsp;<SPAN class="t">we</SPAN>&nbsp;<SPAN class="t">are</SPAN>&nbsp;<SPAN class="t">unable</SPAN>&nbsp;<SPAN class="t">to</SPAN>&nbsp;<SPAN class="t">process</SPAN>&nbsp;<SPAN class="t">your</SPAN>&nbsp;<SPAN class="t">request.</SPAN></SPAN></P><P><SPAN>index=abc&nbsp; ABC-*<BR />|rex field=_raw "errors\"\:\[\{\"code\"\:\"(?P&lt;ABC_Code&gt;ABC\-\d+)\"\,\"message\"\:\"(?P&lt;Message&gt;[^\"]+)" | where ABC_Code!="" | search ABC_Code=* | Stats count by ABC_Code Message</SPAN></P><P><SPAN class="t"><SPAN class="t a"><SPAN>2. exception:</SPAN>CommonApplicationException</SPAN><SPAN>&nbsp;</SPAN>ABC_1001<SPAN class="t a">:</SPAN>We<SPAN>'</SPAN>re sorry<SPAN>,&nbsp;</SPAN>it looks like an<SPAN>&nbsp;</SPAN><SPAN class="t h">error</SPAN><SPAN>&nbsp;</SPAN>occured</SPAN></P><P><SPAN class="t"><SPAN>index=abc "exception":"CommonApplicationException"</SPAN><BR /><SPAN>| rex field=_raw "Exception\:\s(?=ABC)(?&lt;ABC_CODE&gt;[^\:]+)\:(?&lt;Message&gt;[^\"]+)"</SPAN><BR /><SPAN>| eval Message=substr(Message, 1, 140)</SPAN><BR /><SPAN>| stats count by ABC_CODE, Message<BR /><BR /></SPAN></SPAN></P><P><SPAN class="t"><SPAN>I have these two rex and want to combine both but because these two are different is it possible to combine them and have&nbsp;Stats count by ABC_Code Message?</SPAN></SPAN></P> Fri, 11 Jun 2021 14:43:39 GMT https://community.splunk.com/t5/Splunk-Enterprise/Combine-rex-field/m-p/555483#M6111 DougiieDee 2021-06-11T14:43:39Z