https://community.splunk.com/t5/Splunk-Search/Can-t-Extract-Multiple-Custom-Fields/m-p/51683#M12531 <P>Hello,</P> <P>I'm trying to extract each of the 16 values following the "Latency:" string into 16 separate fields and then export the fields to a CSV file. The default extraction doesn't seem to extract them, so I used IFX to generate a Latency field, but that contained all 16 values in a single string, again, not what I need.</P> <P>--</P> <P>Jul 25 09:53:33 datapower xi50-opsSyslog [latency][info] mpgw(opsSftpExmFrontGateway): trans(942496)[10.1.131.205]: Latency: 0 1 0 0 0 0 0 1 1 1 13 13 0 1 0 1 [sftp://[::]:2060/dropbox;type=d]</P> <P>Jul 25 09:55:30 datapower xi50-opsSyslog [latency][info] mpgw(opsSftpExmFrontGateway): trans(942512)[10.1.131.205]: Latency: 0 16 0 68259 68259 0 0 68260 68260 68260 68260 68260 0 68260 0 16 [sftp://[::]:2060/dropbox/test1.dat]</P> <P>Jul 25 09:56:39 datapower xi50-opsSyslog [latency][info] mpgw(opsSftpExmFrontGateway): trans(944752)[10.1.131.205]: Latency: 0 1 0 0 0 0 0 1 1 1 13 13 0 1 0 1 [sftp://[::]:2060/dropbox/;type=d]</P> <P>--</P> <P>I'm struggling with breaking out the 16 individual fields. Any suggestions would be greatly appreciated.</P> Mon, 01 Aug 2011 21:32:05 GMT mxsullivan 2011-08-01T21:32:05Z https://community.splunk.com/t5/Splunk-Search/Can-t-Extract-Multiple-Custom-Fields/m-p/51683#M12531 <P>Hello,</P> <P>I'm trying to extract each of the 16 values following the "Latency:" string into 16 separate fields and then export the fields to a CSV file. The default extraction doesn't seem to extract them, so I used IFX to generate a Latency field, but that contained all 16 values in a single string, again, not what I need.</P> <P>--</P> <P>Jul 25 09:53:33 datapower xi50-opsSyslog [latency][info] mpgw(opsSftpExmFrontGateway): trans(942496)[10.1.131.205]: Latency: 0 1 0 0 0 0 0 1 1 1 13 13 0 1 0 1 [sftp://[::]:2060/dropbox;type=d]</P> <P>Jul 25 09:55:30 datapower xi50-opsSyslog [latency][info] mpgw(opsSftpExmFrontGateway): trans(942512)[10.1.131.205]: Latency: 0 16 0 68259 68259 0 0 68260 68260 68260 68260 68260 0 68260 0 16 [sftp://[::]:2060/dropbox/test1.dat]</P> <P>Jul 25 09:56:39 datapower xi50-opsSyslog [latency][info] mpgw(opsSftpExmFrontGateway): trans(944752)[10.1.131.205]: Latency: 0 1 0 0 0 0 0 1 1 1 13 13 0 1 0 1 [sftp://[::]:2060/dropbox/;type=d]</P> <P>--</P> <P>I'm struggling with breaking out the 16 individual fields. Any suggestions would be greatly appreciated.</P> Mon, 01 Aug 2011 21:32:05 GMT https://community.splunk.com/t5/Splunk-Search/Can-t-Extract-Multiple-Custom-Fields/m-p/51683#M12531 mxsullivan 2011-08-01T21:32:05Z https://community.splunk.com/t5/Splunk-Search/Can-t-Extract-Multiple-Custom-Fields/m-p/51684#M12532 <P>What I would probably do is, in a search string, add:</P> <PRE><CODE>| rex field=_raw "Latency: (?&lt;Field1&gt;\d*) (?&lt;Field2&gt;\d*) (?&lt;Field3&gt;\d*) (?&lt;Field4&gt;\d*) (?&lt;Field5&gt;\d*) (?&lt;Field6&gt;\d*) (?&lt;Field7&gt;\d*) (?&lt;Field8&gt;\d*) (?&lt;Field9&gt;\d*) (?&lt;Field10&gt;\d*) (?&lt;Field11&gt;\d*) (?&lt;Field12&gt;\d*) (?&lt;Field13&gt;\d*) (?&lt;Field14&gt;\d*) (?&lt;Field15&gt;\d*) (?&lt;Field16&gt;\d*)" | table Field1 Field2 Field3 Field4 Field5 Field6 Field7 Field8 Field9 Field10 Field11 Field12 Field13 Field14 Field15 Field16 </CODE></PRE> <P>You can also put the first part in your props.conf, via:</P> <PRE><CODE>[SourceType] EXTRACT-SixteenFields = Latency: (?&lt;Field1&gt;\d*) (?&lt;Field2&gt;\d*) (?&lt;Field3&gt;\d*) (?&lt;Field4&gt;\d*) (?&lt;Field5&gt;\d*) (?&lt;Field6&gt;\d*) (?&lt;Field7&gt;\d*) (?&lt;Field8&gt;\d*) (?&lt;Field9&gt;\d*) (?&lt;Field10&gt;\d*) (?&lt;Field11&gt;\d*) (?&lt;Field12&gt;\d*) (?&lt;Field13&gt;\d*) (?&lt;Field14&gt;\d*) (?&lt;Field15&gt;\d*) (?&lt;Field16&gt;\d*) </CODE></PRE> <P>And then it will be automatically extracted for you.</P> Mon, 01 Aug 2011 23:45:59 GMT https://community.splunk.com/t5/Splunk-Search/Can-t-Extract-Multiple-Custom-Fields/m-p/51684#M12532 David 2011-08-01T23:45:59Z