https://community.splunk.com/t5/Splunk-Search/Rex-for-different-pattern-of-same-fields-within-same-event/m-p/391880#M114078 <P>Please help @niketnilay <BR /> @shwetas </P> Thu, 18 Jul 2019 13:06:51 GMT sh254087 2019-07-18T13:06:51Z https://community.splunk.com/t5/Splunk-Search/Rex-for-different-pattern-of-same-fields-within-same-event/m-p/391879#M114077 <P>Trying to formulate a Regex that would work with events something like the below one. When I tried extracting the fields, I did not get to the expected output as the field name I'm looking at is same for values of different pattern. The rex was either failing or throwing error about using duplicate field name.</P> <P>Sample Event entry:<BR /> No machines for project Print-Demo<BR /> No machines for project Kimkeen_POC<BR /> No machines for project Default Project<BR /> Project name: ABCD Life, Machine name:hlstocpra2, Status:STARTED, Backlog bytes:0, Last consistency:Still replicating<BR /> Project name: ABCD Life, Machine name:HKWONDERSVD02, Status:PAUSED, Backlog bytes:0, Last consistency:Still replicating<BR /> Project name: ABCD Life, Machine name:hlstocpraw2, Status:PAUSED, Backlog bytes:0, Last consistency:Still replicating<BR /> No machines for project Print<BR /> No machines for project Demo2<BR /> No machines for project Test_migrate</P> <P>Expected extraction and output:<BR /> <IMG src="https://community.splunk.com/storage/temp/274141-rex-multiextraction-req.jpg" alt="alt text" /></P> <P>Looking for help in extracting the fields with all the values to be presented in individual rows.</P> Wed, 30 Sep 2020 01:20:16 GMT https://community.splunk.com/t5/Splunk-Search/Rex-for-different-pattern-of-same-fields-within-same-event/m-p/391879#M114077 sh254087 2020-09-30T01:20:16Z https://community.splunk.com/t5/Splunk-Search/Rex-for-different-pattern-of-same-fields-within-same-event/m-p/391880#M114078 <P>Please help @niketnilay <BR /> @shwetas </P> Thu, 18 Jul 2019 13:06:51 GMT https://community.splunk.com/t5/Splunk-Search/Rex-for-different-pattern-of-same-fields-within-same-event/m-p/391880#M114078 sh254087 2019-07-18T13:06:51Z https://community.splunk.com/t5/Splunk-Search/Rex-for-different-pattern-of-same-fields-within-same-event/m-p/391881#M114079 <P>Hi sh254087,<BR /> I suggest to use two different regexes, one for No machines and one for machines the merge machine name fields using coalesce, in othe words:</P> <PRE><CODE>| rex "(No machines for project )(?&lt;Project_Name1&gt;.*)" | rex "(?ms)Project name: (?&lt;Project_Name2&gt;[^,]*), Machine name:(?&lt;Machine_Name&gt;[^,]*), Status:(?&lt;Status&gt;[^,]*), Backlog bytes:(?&lt;Backlog_bytes&gt;[^,]*)" | eval Project_name=coalesce(Project_name1,Project_name2) </CODE></PRE> <P>you can test it at <A href="https://regex101.com/r/X3pgrK/2">https://regex101.com/r/X3pgrK/2</A></P> <P>Bye.<BR /> Giuseppe</P> Thu, 18 Jul 2019 13:19:19 GMT https://community.splunk.com/t5/Splunk-Search/Rex-for-different-pattern-of-same-fields-within-same-event/m-p/391881#M114079 gcusello 2019-07-18T13:19:19Z https://community.splunk.com/t5/Splunk-Search/Rex-for-different-pattern-of-same-fields-within-same-event/m-p/391882#M114080 <P>I'm not sure if you should use a more complex single rex command, but you can:</P> <PRE><CODE>| rex "[Pp]roject (?:name: )?(?&lt;ProjectName&gt;[^\,\r\n]+)(?:\, Machine name\:(?&lt;MachineName&gt;[^\,]+)\, Status\:(?&lt;JobStatus&gt;[^\,]+)\, Backlog bytes\:(?&lt;BacklogBytes&gt;[0-9]+)\, Last consistency\:(?&lt;LastConsistency&gt;.*))?" | table ProjectName, MachineName, JobStatus, BacklogBytes, LastConsistency </CODE></PRE> Thu, 18 Jul 2019 16:10:02 GMT https://community.splunk.com/t5/Splunk-Search/Rex-for-different-pattern-of-same-fields-within-same-event/m-p/391882#M114080 wenthold 2019-07-18T16:10:02Z