topic Splunk table and regex filter in Splunk Search https://community.splunk.com/t5/Splunk-Search/Splunk-table-and-regex-filter/m-p/466316#M131313 <P>I have following data in "log" field,<BR /> date1 name : message one<BR /> date2 name : message two<BR /> date3 name : message one<BR /> date4 name : message one<BR /> date5 name : message three<BR /> date6 name : message three</P> <P>i want to filter this and create a table as below,<BR /> columns <BR /> log - count<BR /> message one - 3<BR /> message two - 1<BR /> message three - 2</P> <P>how can i achieve this?</P> Mon, 16 Dec 2019 19:05:17 GMT mnjmht18 2019-12-16T19:05:17Z Splunk table and regex filter https://community.splunk.com/t5/Splunk-Search/Splunk-table-and-regex-filter/m-p/466316#M131313 <P>I have following data in "log" field,<BR /> date1 name : message one<BR /> date2 name : message two<BR /> date3 name : message one<BR /> date4 name : message one<BR /> date5 name : message three<BR /> date6 name : message three</P> <P>i want to filter this and create a table as below,<BR /> columns <BR /> log - count<BR /> message one - 3<BR /> message two - 1<BR /> message three - 2</P> <P>how can i achieve this?</P> Mon, 16 Dec 2019 19:05:17 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-table-and-regex-filter/m-p/466316#M131313 mnjmht18 2019-12-16T19:05:17Z Re: Splunk table and regex filter https://community.splunk.com/t5/Splunk-Search/Splunk-table-and-regex-filter/m-p/466317#M131314 <P>Try this query.</P> <PRE><CODE>... | rex field=log "name : (?&lt;log&gt;.*)" | stats count by log </CODE></PRE> Mon, 16 Dec 2019 19:29:22 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-table-and-regex-filter/m-p/466317#M131314 richgalloway 2019-12-16T19:29:22Z Re: Splunk table and regex filter https://community.splunk.com/t5/Splunk-Search/Splunk-table-and-regex-filter/m-p/466318#M131315 <P>Hi @mnjmht18</P> <P>Try any one of the following</P> <PRE><CODE>| makeresults | eval log="date1 name : message one,date2 name : message two,date3 name : message one,date4 name : message one,date5 name : message three,date6 name : message three" | makemv delim="," log | mvexpand log | rex field=log "name :\s+(?P&lt;log&gt;[^:]+)$" | stats count by log </CODE></PRE> <P>or</P> <PRE><CODE>| makeresults | eval log="date1 name : message one,date2 name : message two,date3 name : message one,date4 name : message one,date5 name : message three,date6 name : message three" | makemv delim="," log | mvexpand log | eval log= mvindex(split(log,"name :"),-1) | stats count by log </CODE></PRE> Tue, 17 Dec 2019 01:41:24 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-table-and-regex-filter/m-p/466318#M131315 vnravikumar 2019-12-17T01:41:24Z