topic Field Extraction with Inconsistent Missing Values Fields in Each of the Events in Installation https://community.splunk.com/t5/Installation/Field-Extraction-with-Inconsistent-Missing-Values-Fields-in-Each/m-p/571056#M10752 <P>Hello,</P><P>I am some issues in writing field extraction expression for following events (3 sample events are given below).</P><P>Each of the events has&nbsp; comma Separated 14 field values. Most of the cases event doesnot have all field values (i.e., no values between 2 commas)&nbsp; &nbsp;</P><P>I was trying with this expression&nbsp;&nbsp;<STRONG>^(?P&lt;Field1&gt;\w+),(?P&lt;Field2&gt;\w+),(?P&lt;Field3&gt;\w+),(?P&lt;Field4&gt;\w+),</STRONG></P><P>But it stuck at Field4 as it doesn't have any values (i.e., no values between 2 commas for Field4) in event&nbsp; 1. Same thing is happening for other events where there is now value between 2 commas. How would I write my field extraction expression (or (REGEX)&nbsp; ) to extract&nbsp; 14 fields from each of the events considering some fields may not have values (i.e., no values between 2 commas). Any help will be highly appreciated. Thank you so much, appreciate your support in this efforts.</P><P>&nbsp;</P><P>23SRFBB,HESR2,000000000,,TRY5gNbkVnedIIRbrk0A3wWOtE4L,12.218.76.129,2021-10-13 06:39:48 MDT,ISDMCISA,LOGOFF,USER,,,,</P><P>34SWFBB,RESG3,000000000,10AB,TFG3nNbkVnedIIDFbrk0A3wWOtE4L,,2021-10-13 06:39:48 MDT,ISDMCISA,LOGOFF,USER,,,,</P><P>45SRFBB,SES3X,000000000,,FDTt3nNbkVnedIIBSbrk0A3wWOtE4L,12.218.76.129,2021-10-13 06:39:48 MDT,ISDMCISA,LOGOFF,USER,,,1wqa,XY355</P> Fri, 15 Oct 2021 00:41:00 GMT SplunkDash 2021-10-15T00:41:00Z Field Extraction with Inconsistent Missing Values Fields in Each of the Events https://community.splunk.com/t5/Installation/Field-Extraction-with-Inconsistent-Missing-Values-Fields-in-Each/m-p/571056#M10752 <P>Hello,</P><P>I am some issues in writing field extraction expression for following events (3 sample events are given below).</P><P>Each of the events has&nbsp; comma Separated 14 field values. Most of the cases event doesnot have all field values (i.e., no values between 2 commas)&nbsp; &nbsp;</P><P>I was trying with this expression&nbsp;&nbsp;<STRONG>^(?P&lt;Field1&gt;\w+),(?P&lt;Field2&gt;\w+),(?P&lt;Field3&gt;\w+),(?P&lt;Field4&gt;\w+),</STRONG></P><P>But it stuck at Field4 as it doesn't have any values (i.e., no values between 2 commas for Field4) in event&nbsp; 1. Same thing is happening for other events where there is now value between 2 commas. How would I write my field extraction expression (or (REGEX)&nbsp; ) to extract&nbsp; 14 fields from each of the events considering some fields may not have values (i.e., no values between 2 commas). Any help will be highly appreciated. Thank you so much, appreciate your support in this efforts.</P><P>&nbsp;</P><P>23SRFBB,HESR2,000000000,,TRY5gNbkVnedIIRbrk0A3wWOtE4L,12.218.76.129,2021-10-13 06:39:48 MDT,ISDMCISA,LOGOFF,USER,,,,</P><P>34SWFBB,RESG3,000000000,10AB,TFG3nNbkVnedIIDFbrk0A3wWOtE4L,,2021-10-13 06:39:48 MDT,ISDMCISA,LOGOFF,USER,,,,</P><P>45SRFBB,SES3X,000000000,,FDTt3nNbkVnedIIBSbrk0A3wWOtE4L,12.218.76.129,2021-10-13 06:39:48 MDT,ISDMCISA,LOGOFF,USER,,,1wqa,XY355</P> Fri, 15 Oct 2021 00:41:00 GMT https://community.splunk.com/t5/Installation/Field-Extraction-with-Inconsistent-Missing-Values-Fields-in-Each/m-p/571056#M10752 SplunkDash 2021-10-15T00:41:00Z Re: Field Extraction with Inconsistent Missing Values Fields in Each of the Events https://community.splunk.com/t5/Installation/Field-Extraction-with-Inconsistent-Missing-Values-Fields-in-Each/m-p/571061#M10753 <P>Change the + (1 or more) to * (0 or more) for any (or all) fields which might be empty</P><LI-CODE lang="markup">^(?P&lt;Field1&gt;\w+),(?P&lt;Field2&gt;\w+),(?P&lt;Field3&gt;\w+),(?P&lt;Field4&gt;\w*),</LI-CODE> Fri, 15 Oct 2021 04:06:05 GMT https://community.splunk.com/t5/Installation/Field-Extraction-with-Inconsistent-Missing-Values-Fields-in-Each/m-p/571061#M10753 ITWhisperer 2021-10-15T04:06:05Z