https://community.splunk.com/t5/Splunk-Dev/How-to-extract-the-fields-from-Message-in-WinEventLog/m-p/546058#M9800 <LI-CODE lang="markup">| makeresults | eval test="a$1,b$2" | rex field=test max_match=0 "((?&lt;field&gt;[^$]*)\$(?&lt;value&gt;[^,]*),?)" | eval fieldvalue=mvzip(field,value,"=") | mvexpand fieldvalue | eval field=mvindex(split(fieldvalue,"="),0) | eval value=mvindex(split(fieldvalue,"="),1) | eval {field}=value | fields - field value fieldvalue test</LI-CODE><P>This will create separate events for each field/value pair. If you want to recombine them back to their original events, if you don't already have a field with a unique value in, you could use streamstats to add a row number to the events before the mvexpand, then use a stats command with values(*) as * by row to recombine them.</P> Tue, 30 Mar 2021 17:43:35 GMT ITWhisperer 2021-03-30T17:43:35Z https://community.splunk.com/t5/Splunk-Dev/How-to-extract-the-fields-from-Message-in-WinEventLog/m-p/546041#M9799 <P>We are trying to to extract the fields from Message in WinEventLog in the Avecto data.</P><P>The data looks like -</P><P>&nbsp;</P><LI-CODE lang="markup"> Process Id: 21592 Parent Process Id: 24704 Workstyle: Avecto Defendpoint.Systems Employees Application Group: Avecto Defendpoint.Add Admin - Privileged Users - Applications Reason: &lt;None&gt; File Name: &lt;file name&gt; Hash: 4478EBABE67B50EB111D59F95FE029D31329F1FC Certificate: &lt;name&gt; Description: Command line runner Application Type: exe Product Name: IntelliJ Platform Product Code: &lt;None&gt; Upgrade Code: &lt;None&gt; ....</LI-CODE><P>&nbsp;</P><P>Each line in Message has a name value pair, separated by a colon.</P><P>The documentation at <A title="Rex doc" href="https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/Rex" target="_self">https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/Rex</A> shows -</P><P>&nbsp;</P><LI-CODE lang="markup">| makeresults | eval test="a$1,b$2" | rex field=test max_match=0 "((?&lt;field&gt;[^$]*)\$(?&lt;value&gt;[^,]*),?)"</LI-CODE><P>&nbsp;</P><P>which works.</P><P>The similar one I did for Avecto works fine -</P><P>&nbsp;</P><LI-CODE lang="markup">index = &lt;avecto index&gt; Message=* | rex field=Message max_match=0 "((?&lt;field&gt;.+)\:(?&lt;value&gt;.+),?)" | table Message field value</LI-CODE><P>&nbsp;</P><P>We end up with field a and value, each is a multi-value field.</P><P>Is there a way to change so, we'll have multiple fields, each with its own name/value pair, such as Process_Id having 21592 as its value.</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 30 Mar 2021 16:32:49 GMT https://community.splunk.com/t5/Splunk-Dev/How-to-extract-the-fields-from-Message-in-WinEventLog/m-p/546041#M9799 danielbb 2021-03-30T16:32:49Z https://community.splunk.com/t5/Splunk-Dev/How-to-extract-the-fields-from-Message-in-WinEventLog/m-p/546058#M9800 <LI-CODE lang="markup">| makeresults | eval test="a$1,b$2" | rex field=test max_match=0 "((?&lt;field&gt;[^$]*)\$(?&lt;value&gt;[^,]*),?)" | eval fieldvalue=mvzip(field,value,"=") | mvexpand fieldvalue | eval field=mvindex(split(fieldvalue,"="),0) | eval value=mvindex(split(fieldvalue,"="),1) | eval {field}=value | fields - field value fieldvalue test</LI-CODE><P>This will create separate events for each field/value pair. If you want to recombine them back to their original events, if you don't already have a field with a unique value in, you could use streamstats to add a row number to the events before the mvexpand, then use a stats command with values(*) as * by row to recombine them.</P> Tue, 30 Mar 2021 17:43:35 GMT https://community.splunk.com/t5/Splunk-Dev/How-to-extract-the-fields-from-Message-in-WinEventLog/m-p/546058#M9800 ITWhisperer 2021-03-30T17:43:35Z