https://community.splunk.com/t5/Splunk-Search/Multivalued-field-extraction/m-p/514608#M144449 <P>This is the search i am using to extract key/value from the field&nbsp; "<SPAN>RID</SPAN>" with multivalued "DEF"</P><P><SPAN>| rex max_match=0 field=RID "(?P&lt;key&gt;[A-Z]+)\s+:\s+(?P&lt;value&gt;[^\n|\"]+)\"?,?"</SPAN></P><P>RID=<BR />"ABC: ABC-2017-5715<BR />DEF: 4057120<BR />DEF : 4088779<BR />DEF : 4088782<BR />DEF : 4088786<BR />XYZ : <A href="https://portal.msrc.microsoft.com/en-US/&quot;" target="_blank" rel="noopener">https://portal.msrc.microsoft.com/en-US/"</A></P><P>This works fine while performed from the GUI and are extracted into new fields key &amp; value. But the same thing when applied through transforms.conf doesnt extract anything.&nbsp;</P><P># extract multiple fields within source_key and give them key=value<BR />SOURCE_KEY = RID<BR />#REGEX = ([A-Z]+)\s+\:\s+([^\s|\n|\"]+)\"?,?<BR />REGEX = ([A-Z]+)\s+:\s+([^\n|\"]+)\"?,?<BR />FORMAT = $1::$2<BR />MV_ADD = 1</P><P>The above is the extraction used in transforms.conf with appropriate reference in props.conf.&nbsp;Anybody who has faced something similar and been able to fix?&nbsp;</P> Tue, 18 Aug 2020 06:49:00 GMT Abhi89 2020-08-18T06:49:00Z https://community.splunk.com/t5/Splunk-Search/Multivalued-field-extraction/m-p/514608#M144449 <P>This is the search i am using to extract key/value from the field&nbsp; "<SPAN>RID</SPAN>" with multivalued "DEF"</P><P><SPAN>| rex max_match=0 field=RID "(?P&lt;key&gt;[A-Z]+)\s+:\s+(?P&lt;value&gt;[^\n|\"]+)\"?,?"</SPAN></P><P>RID=<BR />"ABC: ABC-2017-5715<BR />DEF: 4057120<BR />DEF : 4088779<BR />DEF : 4088782<BR />DEF : 4088786<BR />XYZ : <A href="https://portal.msrc.microsoft.com/en-US/&quot;" target="_blank" rel="noopener">https://portal.msrc.microsoft.com/en-US/"</A></P><P>This works fine while performed from the GUI and are extracted into new fields key &amp; value. But the same thing when applied through transforms.conf doesnt extract anything.&nbsp;</P><P># extract multiple fields within source_key and give them key=value<BR />SOURCE_KEY = RID<BR />#REGEX = ([A-Z]+)\s+\:\s+([^\s|\n|\"]+)\"?,?<BR />REGEX = ([A-Z]+)\s+:\s+([^\n|\"]+)\"?,?<BR />FORMAT = $1::$2<BR />MV_ADD = 1</P><P>The above is the extraction used in transforms.conf with appropriate reference in props.conf.&nbsp;Anybody who has faced something similar and been able to fix?&nbsp;</P> Tue, 18 Aug 2020 06:49:00 GMT https://community.splunk.com/t5/Splunk-Search/Multivalued-field-extraction/m-p/514608#M144449 Abhi89 2020-08-18T06:49:00Z https://community.splunk.com/t5/Splunk-Search/Multivalued-field-extraction/m-p/514615#M144451 <P><SPAN>SOURCE_KEY = field:RID</SPAN><BR /><SPAN>#REGEX = ([A-Z]+)\s+\:\s+([^\s|\n|\"]+)\"?,?</SPAN><BR /><SPAN>REGEX = (?m)([A-Z]+)\s*:\s*([^\"]+)$</SPAN><BR /><SPAN>FORMAT = $1::$2</SPAN><BR /><SPAN>MV_ADD = 1<BR /></SPAN><SPAN>REPEAT_MATCH = true<BR /><BR /></SPAN>RID field is indexed field?</P> Tue, 18 Aug 2020 07:16:18 GMT https://community.splunk.com/t5/Splunk-Search/Multivalued-field-extraction/m-p/514615#M144451 to4kawa 2020-08-18T07:16:18Z https://community.splunk.com/t5/Splunk-Search/Multivalued-field-extraction/m-p/514647#M144459 <P>Thats right&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/184221">@to4kawa</a>. "RID" is an indexed field.</P> Tue, 18 Aug 2020 08:41:54 GMT https://community.splunk.com/t5/Splunk-Search/Multivalued-field-extraction/m-p/514647#M144459 Abhi89 2020-08-18T08:41:54Z