https://community.splunk.com/t5/Splunk-Search/Problem-extracting-fields-from-auto-extracted-field/m-p/457245#M129184 <P>Sorry, regex on [login] is</P> <PRE><CODE>^[\d\s/:]+(?P&lt;login&gt;\w*)\s+(?P&lt;type&gt;\w*) </CODE></PRE> <P>The field <STRONG>login</STRONG> is well extracted but <STRONG>user</STRONG> is not</P> Tue, 20 Aug 2019 15:59:30 GMT ktn01 2019-08-20T15:59:30Z https://community.splunk.com/t5/Splunk-Search/Problem-extracting-fields-from-auto-extracted-field/m-p/457244#M129183 <P>Hello,</P> <P>I have events in the following format:</P> <PRE><CODE>20/08/19 16:34:17 login1 command RunAsUsers="web,tomcat,embed" </CODE></PRE> <P>with the following configs</P> <P><STRONG>props.conf:</STRONG></P> <PRE><CODE>[mysourcetype] TIME_PREFIX = ^ MAX_TIMESTAMP_LOOKAHEAD = 20 TIME_FORMAT = %d/%m/%y %H:%M:%S NO_BINARY_CHECK = true SHOULD_LINEMERGE = false KV_MODE = auto_escaped REPORT-mysourcetype = login,user </CODE></PRE> <P><STRONG>transforms.conf:</STRONG></P> <PRE><CODE> [login] REGEX = ^[\d\s/:]+(?P&lt;user&gt;\w*)\s+(?P&lt;type&gt;\w*) [user] SOURCE_KEY = RunAsUsers REGEX = (?P&lt;user&gt;[^,]+) MV_ADD = true </CODE></PRE> <P>Fields <STRONG>"user"</STRONG>, <STRONG>"type"</STRONG> and <STRONG>"RunAsUsers"</STRONG> are well extracted but the multi KV <STRONG>"user"</STRONG> is not created.</P> <P>An idea of ​​what I'm doing wrong?</P> <P>Thanks<BR /> Christian</P> Tue, 20 Aug 2019 15:11:27 GMT https://community.splunk.com/t5/Splunk-Search/Problem-extracting-fields-from-auto-extracted-field/m-p/457244#M129183 ktn01 2019-08-20T15:11:27Z https://community.splunk.com/t5/Splunk-Search/Problem-extracting-fields-from-auto-extracted-field/m-p/457245#M129184 <P>Sorry, regex on [login] is</P> <PRE><CODE>^[\d\s/:]+(?P&lt;login&gt;\w*)\s+(?P&lt;type&gt;\w*) </CODE></PRE> <P>The field <STRONG>login</STRONG> is well extracted but <STRONG>user</STRONG> is not</P> Tue, 20 Aug 2019 15:59:30 GMT https://community.splunk.com/t5/Splunk-Search/Problem-extracting-fields-from-auto-extracted-field/m-p/457245#M129184 ktn01 2019-08-20T15:59:30Z https://community.splunk.com/t5/Splunk-Search/Problem-extracting-fields-from-auto-extracted-field/m-p/457246#M129185 <P>Hello,</P> <P>For information, Splunk support give me the following solution using the config file "fields.conf":</P> <P>[RunAsUsers]<BR /> TOKENIZER = ([^,]+)</P> <P>Regards<BR /> Christian</P> Fri, 01 Nov 2019 14:38:56 GMT https://community.splunk.com/t5/Splunk-Search/Problem-extracting-fields-from-auto-extracted-field/m-p/457246#M129185 ktn01 2019-11-01T14:38:56Z