https://community.splunk.com/t5/Splunk-Search/Need-help-with-field-extractions-on-these-events/m-p/364528#M107550 <P>You can extract all the fields with this regex:</P> <PRE><CODE>^(?P&lt;f1&gt;[^|]*)\|(?P&lt;f2&gt;[^|]*)\|(?P&lt;name&gt;[^|]*)\|((?P&lt;phone&gt;[^|]*)|((?P&lt;address&gt;[^|]*)\|(?P&lt;info1&gt;[^|]*)\|(?P&lt;info2&gt;[^|]*)))$ </CODE></PRE> <P>You will have to change the field names as you wish them to be, but it will extract the fields from either the first or second example lines. It's also fairly efficient.</P> Fri, 22 Dec 2017 19:01:29 GMT cpetterborg 2017-12-22T19:01:29Z https://community.splunk.com/t5/Splunk-Search/Need-help-with-field-extractions-on-these-events/m-p/364527#M107549 <P>I have the following value:</P> <P><STRONG>Events</STRONG><BR /> X|0001|NAME|PHONE<BR /> X|0002|NAME|ADDRESS|INFO1|INFO2</P> <P>Based on the type (0001 or 0002) I want to extract different fields, is it possible ?</P> <P>Can I split the event value based on a common separator (pipe) ?</P> Fri, 22 Dec 2017 16:28:52 GMT https://community.splunk.com/t5/Splunk-Search/Need-help-with-field-extractions-on-these-events/m-p/364527#M107549 gabrieldiasrosa 2017-12-22T16:28:52Z https://community.splunk.com/t5/Splunk-Search/Need-help-with-field-extractions-on-these-events/m-p/364528#M107550 <P>You can extract all the fields with this regex:</P> <PRE><CODE>^(?P&lt;f1&gt;[^|]*)\|(?P&lt;f2&gt;[^|]*)\|(?P&lt;name&gt;[^|]*)\|((?P&lt;phone&gt;[^|]*)|((?P&lt;address&gt;[^|]*)\|(?P&lt;info1&gt;[^|]*)\|(?P&lt;info2&gt;[^|]*)))$ </CODE></PRE> <P>You will have to change the field names as you wish them to be, but it will extract the fields from either the first or second example lines. It's also fairly efficient.</P> Fri, 22 Dec 2017 19:01:29 GMT https://community.splunk.com/t5/Splunk-Search/Need-help-with-field-extractions-on-these-events/m-p/364528#M107550 cpetterborg 2017-12-22T19:01:29Z