https://community.splunk.com/t5/Splunk-Search/How-to-get-the-field-value-substring/m-p/395761#M114910 <P>Try the following. It triggers on the <CODE>{</CODE> character and then skips the 2 parts after that ("type" and "A" in your examples) and then extracts the next word. It will keep matching and adding to a multivalued field. Then the mvjoin command is used to translate that multivalued field into a comma separated field as you requested.</P> <PRE><CODE>...your base search to get to this data... | rex field=response "\{\"\w+\":\"\w+\",\"(?&lt;response_values&gt;[^\"]+)" max_match=0 | eval response_values = mvjoin(response_values,",") </CODE></PRE> <P>See <A href="https://regex101.com/r/LwxZmR/1">https://regex101.com/r/LwxZmR/1</A> for confirmation that the regex works with your samples.</P> Tue, 19 Jun 2018 11:09:35 GMT FrankVl 2018-06-19T11:09:35Z https://community.splunk.com/t5/Splunk-Search/How-to-get-the-field-value-substring/m-p/395757#M114906 <P>I have a field whose values show DNS query information<BR /> for example:</P> <PRE><CODE>[{"type":"A","**response**":"204.2.232.240","asn":"2914","asname":"N/A"}] </CODE></PRE> <P>The field name is named "response"<BR /> I want to put in a different field all of the different response values (in bold)<BR /> this field could contain more than 1 response value so I want them all to be in a new field with "," delimiter<BR /> how do I do that?</P> Tue, 19 Jun 2018 08:22:33 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-the-field-value-substring/m-p/395757#M114906 mcohen13 2018-06-19T08:22:33Z https://community.splunk.com/t5/Splunk-Search/How-to-get-the-field-value-substring/m-p/395758#M114907 <P>Can you also provide samples of events that contain multiple responses? Bit hard to come up with a regular expression based on just this simple example, while you need it to work also on more complex data apparently.</P> Tue, 19 Jun 2018 08:53:54 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-the-field-value-substring/m-p/395758#M114907 FrankVl 2018-06-19T08:53:54Z https://community.splunk.com/t5/Splunk-Search/How-to-get-the-field-value-substring/m-p/395759#M114908 <P>[{"type":"N/A","response":"N/A","asn":"N/A","asname":"N/A"}]<BR /><BR /> [{"type":"A","response":"172.20.2.105","asn":"reserved","asname":"reserved"}]<BR /> [{"type":"A","response":"172.22.36.3","asn":"reserved","asname":"reserved"}]<BR /> [{"type":"A","response":"172.28.76.33","asn":"reserved","asname":"reserved"}]<BR /><BR /> [{"type":"A","response":"204.2.232.240","asn":"2914","asname":"N/A"}]<BR /> [{"type":"A","response":"2.16.76.110","asn":"20940","asname":"N/A"}]<BR /><BR /> [{"type":"A","response":"153.254.159.149","asn":"2914","asname":"N/A"}] <BR /> [{"type":"A","response":"209.99.64.18","asn":"40034","asname":"N/A"}]<BR /><BR /> [{"type":"A","response":"64.124.235.203","asn":"6461","asname":"N/A"}]<BR /> [{"type":"A","response":"67.225.218.50","asn":"32244","asname":"N/A"}]<BR /> [{"type":"A","response":"63.237.67.237","asn":"209","asname":"qwest"}]<BR /><BR /> [{"type":"A","response":"184.84.165.252","asn":"20940","asname":"N/A"}] <BR /> [{"type":"A","response":"23.55.56.71","asn":"20940","asname":"N/A"}]<BR /> [{"type":"A","response":"96.17.148.189","asn":"20940","asname":"N/A"}]<BR /><BR /> [{"type":"A","response":"104.110.189.77","asn":"20940","asname":"N/A"}]<BR /> [{"type":"A","response":"2.16.165.55","asn":"20940","asname":"N/A"}]<BR /> [{"type":"A","response":"104.79.196.66","asn":"20940","asname":"N/A"}]</P> Tue, 19 Jun 2018 10:20:40 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-the-field-value-substring/m-p/395759#M114908 mcohen13 2018-06-19T10:20:40Z https://community.splunk.com/t5/Splunk-Search/How-to-get-the-field-value-substring/m-p/395760#M114909 <P>[{"type":"A","response":"52.7.102.57","asn":"14618","asname":"aws"},{"type":"A","response":"52.71.245.135","asn":"14618","asname":"aws"}]</P> Tue, 19 Jun 2018 10:21:40 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-the-field-value-substring/m-p/395760#M114909 mcohen13 2018-06-19T10:21:40Z https://community.splunk.com/t5/Splunk-Search/How-to-get-the-field-value-substring/m-p/395761#M114910 <P>Try the following. It triggers on the <CODE>{</CODE> character and then skips the 2 parts after that ("type" and "A" in your examples) and then extracts the next word. It will keep matching and adding to a multivalued field. Then the mvjoin command is used to translate that multivalued field into a comma separated field as you requested.</P> <PRE><CODE>...your base search to get to this data... | rex field=response "\{\"\w+\":\"\w+\",\"(?&lt;response_values&gt;[^\"]+)" max_match=0 | eval response_values = mvjoin(response_values,",") </CODE></PRE> <P>See <A href="https://regex101.com/r/LwxZmR/1">https://regex101.com/r/LwxZmR/1</A> for confirmation that the regex works with your samples.</P> Tue, 19 Jun 2018 11:09:35 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-the-field-value-substring/m-p/395761#M114910 FrankVl 2018-06-19T11:09:35Z https://community.splunk.com/t5/Splunk-Search/How-to-get-the-field-value-substring/m-p/395762#M114911 <P>tried and it's not working</P> Tue, 19 Jun 2018 14:01:46 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-the-field-value-substring/m-p/395762#M114911 mcohen13 2018-06-19T14:01:46Z https://community.splunk.com/t5/Splunk-Search/How-to-get-the-field-value-substring/m-p/395763#M114912 <P>Any errors / what does "not working" mean?</P> <P>It works fine for me when I test it like this:</P> <PRE><CODE>| makeresults | eval response="[{\"type\":\"A\",\"response\":\"52.7.102.57\",\"asn\":\"14618\",\"asname\":\"aws\"},{\"type\":\"A\",\"response\":\"52.71.245.135\",\"asn\":\"14618\",\"asname\":\"aws\"}]" | rex field=response "\{\"\w+\":\"\w+\",\"(?&lt;response_values&gt;[^\"]+)" max_match=0 | eval response_values = mvjoin(response_values,",") </CODE></PRE> <P>Can you share a screenshot of your attempt?</P> Tue, 19 Jun 2018 14:33:19 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-the-field-value-substring/m-p/395763#M114912 FrankVl 2018-06-19T14:33:19Z https://community.splunk.com/t5/Splunk-Search/How-to-get-the-field-value-substring/m-p/395764#M114913 <P>in the response_values field i get the response twice, what i want is the ip address<BR /> 2018-06-20 12:33:02 [{"type":"A","response":"52.7.102.57","asn":"14618","asname":"aws"},{"type":"A","response":"52.71.245.135","asn":"14618","asname":"aws"}] response,response</P> Wed, 20 Jun 2018 12:34:10 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-the-field-value-substring/m-p/395764#M114913 mcohen13 2018-06-20T12:34:10Z https://community.splunk.com/t5/Splunk-Search/How-to-get-the-field-value-substring/m-p/395765#M114914 <P>Well, you asked for extracting the bold "response" values. So that's what I thought you wanted. But extracting the address makes a lot more sense, try this:</P> <PRE><CODE>...your base search to get to this data... | rex "\"response\":\"(?&lt;response_values&gt;[^\"]+)" max_match=0 | eval response_values = mvjoin(response_values,",") </CODE></PRE> Wed, 20 Jun 2018 12:42:37 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-the-field-value-substring/m-p/395765#M114914 FrankVl 2018-06-20T12:42:37Z https://community.splunk.com/t5/Splunk-Search/How-to-get-the-field-value-substring/m-p/395766#M114915 <P>works thanks!</P> Wed, 20 Jun 2018 15:23:45 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-the-field-value-substring/m-p/395766#M114915 mcohen13 2018-06-20T15:23:45Z