https://community.splunk.com/t5/Splunk-Search/How-do-you-use-rex-to-extract-a-specific-field-in-Splunk/m-p/455097#M128736 <P>Something like this should work:</P> <PRE><CODE>| rex field=Custom_Tag "\"Account\",\s+\"Value\":\s+\"(?&lt;Tag_Account&gt;[^\"]+)" | rex field=Custom_Tag "\"AssetOwner\",\s+\"Value\":\s+\"(?&lt;Tag_AssetOwner&gt;[^\"]+)" | rex field=Custom_Tag "\"AssetDataStored\",\s+\"Value\":\s+\"(?&lt;Tag_AssetDataStored&gt;[^\"]+)" </CODE></PRE> Fri, 22 Mar 2019 15:55:34 GMT FrankVl 2019-03-22T15:55:34Z https://community.splunk.com/t5/Splunk-Search/How-do-you-use-rex-to-extract-a-specific-field-in-Splunk/m-p/455096#M128735 <P>Hello,</P> <P>Can anybody help me extracting from this table with 3 regular expression:</P> <P>I got a column in Splunk like this and the values between</P> <P>Custom_Tag (this is the column name which i need to be split into 3 columns Account,AssetOwner,AssetDataStored)<BR /> "Key": "Account", "Value": "037395386785"<BR /> "Key": "AssetOwner", "Value": "Infrastructure"<BR /> "Key": "AssetDataStored", "Value": "InternalUseOnly"<BR /> "Key": "Account", "Value": "343254354354"<BR /> "Key": "AssetOwner", "Value": "Production"<BR /> "Key": "AssetDataStored", "Value": "ExternalUse"</P> <P>and i need a <CODE>rex</CODE> to extract the values into 3 columns when matching the word Account,AssetOwner,AssedDataStored</P> <P>Tag_Account Tag_AssetOwner Tag_AssetDataStored<BR /> 037395386785 Infrastructure InternalUseOnly<BR /> 343254354354 Production ExternalUse</P> Tue, 29 Sep 2020 23:48:05 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-use-rex-to-extract-a-specific-field-in-Splunk/m-p/455096#M128735 braicu 2020-09-29T23:48:05Z https://community.splunk.com/t5/Splunk-Search/How-do-you-use-rex-to-extract-a-specific-field-in-Splunk/m-p/455097#M128736 <P>Something like this should work:</P> <PRE><CODE>| rex field=Custom_Tag "\"Account\",\s+\"Value\":\s+\"(?&lt;Tag_Account&gt;[^\"]+)" | rex field=Custom_Tag "\"AssetOwner\",\s+\"Value\":\s+\"(?&lt;Tag_AssetOwner&gt;[^\"]+)" | rex field=Custom_Tag "\"AssetDataStored\",\s+\"Value\":\s+\"(?&lt;Tag_AssetDataStored&gt;[^\"]+)" </CODE></PRE> Fri, 22 Mar 2019 15:55:34 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-use-rex-to-extract-a-specific-field-in-Splunk/m-p/455097#M128736 FrankVl 2019-03-22T15:55:34Z https://community.splunk.com/t5/Splunk-Search/How-do-you-use-rex-to-extract-a-specific-field-in-Splunk/m-p/455098#M128737 <P>Hi</P> <P>Give a try</P> <PRE><CODE>| makeresults | eval Custom_Tag ="\"Key\": \"Account\", \"Value\": \"037395386785\"" | append [| makeresults | eval Custom_Tag ="\"Key\": \"AssetOwner\", \"Value\": \"Infrastructure\""] | append [| makeresults | eval Custom_Tag ="\"Key\": \"AssetDataStored\", \"Value\": \"InternalUseOnly\""] | append [| makeresults | eval Custom_Tag ="\"Key\": \"Account\", \"Value\": \"343254354354\""] | append [| makeresults | eval Custom_Tag ="\"Key\": \"AssetOwner\", \"Value\": \"Production\""] | append [| makeresults | eval Custom_Tag ="\"Key\": \"AssetDataStored\", \"Value\": \"ExternalUse\""] | eval temp = replace(Custom_Tag , "\"|:|Key|Value","") | makemv delim="," temp | eval column1 = ltrim(mvindex(temp,0)) | eval column2=ltrim(mvindex(temp,1)) | eval{column1}=column2 | stats list(Account) as Tag_Account,list(AssetDataStored) as Tag_AssetDataStored,list(AssetOwner) as Tag_AssetOwner </CODE></PRE> Fri, 22 Mar 2019 18:19:09 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-use-rex-to-extract-a-specific-field-in-Splunk/m-p/455098#M128737 vnravikumar 2019-03-22T18:19:09Z