https://community.splunk.com/t5/Splunk-Search/How-to-extract-multiple-values-with-the-same-delimiter/m-p/511663#M143462 <P>This will give all log values irrespective of number logs. Trick is you need use "max_match" option with rex.</P><P>| makeresults | eval value= "log:word1 log:word2 log:word3" | rex field=value max_match=0 "log:(?[^ ]+)" | mvexpand LogValue | fields LogValue | fields - _*</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="spitchika_0-1596065961126.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/9948i28615FDA7D2305F1/image-size/medium?v=v2&amp;px=400" role="button" title="spitchika_0-1596065961126.png" alt="spitchika_0-1596065961126.png" /></span></P><P>&nbsp;</P> Wed, 29 Jul 2020 23:40:21 GMT spitchika 2020-07-29T23:40:21Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-multiple-values-with-the-same-delimiter/m-p/511543#M143404 <P>Hi</P> <P>I'm trying to regex my way into this puzzle, let me explain my problem.</P> <LI-CODE lang="markup">event 1 (field 2) raw value = log:word1 log:word2 log:word3 event 2 (field 2) raw value = log:19 log:word4</LI-CODE> <P>or</P> <LI-CODE lang="markup">The value in field2 from the first event (raw value). log:word1 log:word2 log:word3 The value in field2 from the second event (raw value). log:19 log:word4</LI-CODE> <P>I want to extract these "log:" values into 3 fields.<BR />Something like field log1 , log2 and log3.</P> <P>&nbsp;So I tried with this regex :</P> <LI-CODE lang="markup">":(?&lt;log1&gt;\S*) log:(?&lt;log2&gt;\S*) log:(?&lt;log3&gt;\S*)"</LI-CODE> <P><BR />Works perfectly with event 1, but didn't work for event 2 because there or only 2 “log:” values.<BR /><BR />Can anybody tell me how to make this work?</P> Thu, 30 Jul 2020 04:58:19 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-multiple-values-with-the-same-delimiter/m-p/511543#M143404 christopheducha 2020-07-30T04:58:19Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-multiple-values-with-the-same-delimiter/m-p/511660#M143460 <P>You can make the regex use quantifiers, so that 2nd and subsequent extractions are optional using ?</P><LI-CODE lang="markup">| makeresults | eval v=split("log:word1 log:word2 log:word3,log:19 log:word4",",") | mvexpand v | rex field=v ":(?&lt;log1&gt;\S*)( log:(?&lt;log2&gt;\S*))?( log:(?&lt;log3&gt;\S*))?"</LI-CODE><P>Hope this helps&nbsp;</P> Wed, 29 Jul 2020 23:27:03 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-multiple-values-with-the-same-delimiter/m-p/511660#M143460 bowesmana 2020-07-29T23:27:03Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-multiple-values-with-the-same-delimiter/m-p/511663#M143462 <P>This will give all log values irrespective of number logs. Trick is you need use "max_match" option with rex.</P><P>| makeresults | eval value= "log:word1 log:word2 log:word3" | rex field=value max_match=0 "log:(?[^ ]+)" | mvexpand LogValue | fields LogValue | fields - _*</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="spitchika_0-1596065961126.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/9948i28615FDA7D2305F1/image-size/medium?v=v2&amp;px=400" role="button" title="spitchika_0-1596065961126.png" alt="spitchika_0-1596065961126.png" /></span></P><P>&nbsp;</P> Wed, 29 Jul 2020 23:40:21 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-multiple-values-with-the-same-delimiter/m-p/511663#M143462 spitchika 2020-07-29T23:40:21Z