https://community.splunk.com/t5/Splunk-Search/Field-extraction-needed/m-p/524686#M147992 <P>Perfect. Thank you!!!!</P> Wed, 14 Oct 2020 16:53:55 GMT mbasharat 2020-10-14T16:53:55Z https://community.splunk.com/t5/Splunk-Search/Field-extraction-needed/m-p/524652#M147978 <P>Hi,</P><P>I have data in XML format. Out of many fields that I have extracted, there is another field name <STRONG>pluginText</STRONG> which is in below format.&nbsp;I need to have some fields extracted from below.</P><P>I need below two fields. Also, if there is a rex I can use to extract all fields in below tags using a universal logic, that will be great. Thanks in-advance!!!</P><P><STRONG>Nessus version</STRONG></P><P><STRONG>Plugin feed version</STRONG></P><P>See sample below:</P><P>&nbsp;</P><LI-CODE lang="markup">pluginText: &lt;plugin_output&gt;Information about this scan : Nessus version : 7.6.3 Plugin feed version : 202010122335 Scanner edition used : Sample Scan type : Windows Agent Scan policy used : Windows_Server_2019 Scanner IP : 0.0.0.0 Thorough tests : no Experimental tests : no Paranoia level : 1 Report verbosity : 1 Safe checks : yes Optimize the test : yes Credentialed checks : yes Patch management checks : None Display superseded patches : yes (supersedence plugin did not launch) CGI scanning : disabled Web application tests : disabled Max hosts : Max checks : 5 Recv timeout : 5 Backports : None Allow post-scan editing: Yes Scan duration : unknown &lt;/plugin_output&gt;</LI-CODE><P>&nbsp;</P><P>&nbsp;</P> Wed, 14 Oct 2020 14:38:22 GMT https://community.splunk.com/t5/Splunk-Search/Field-extraction-needed/m-p/524652#M147978 mbasharat 2020-10-14T14:38:22Z https://community.splunk.com/t5/Splunk-Search/Field-extraction-needed/m-p/524678#M147986 <LI-CODE lang="markup">| rex max_match=0 field=events "(\r|\n)*(?&lt;tag&gt;[^:]+):(?&lt;value&gt;[^\r\n]+)" | eval tagvalue=mvzip(tag,value,":") | mvexpand tagvalue | fields tagvalue | rex field=tagvalue "(?&lt;tag&gt;.+)\s:\s(?&lt;value&gt;.+)" | fields - tagvalue</LI-CODE><P>First line will extract the fields, the remainder creates separate events for each if you need that. If not, you could "lookup" the tags and their values in the multi-value fields thus</P><LI-CODE lang="markup">| rex max_match=0 field=events "(\r|\n)*(?&lt;tag&gt;[^:]+):(?&lt;value&gt;[^\r\n]+)" | eval tag=mvmap(tag,trim(tag)) | eval value=mvmap(value,trim(value)) | eval nessus=mvfind(tag,"Nessus version") | eval nessusvalue=mvindex(value,nessus)</LI-CODE> Wed, 14 Oct 2020 16:05:53 GMT https://community.splunk.com/t5/Splunk-Search/Field-extraction-needed/m-p/524678#M147986 ITWhisperer 2020-10-14T16:05:53Z https://community.splunk.com/t5/Splunk-Search/Field-extraction-needed/m-p/524681#M147988 <P>Hi ITWhisperer,</P><P>&nbsp;</P><P>So first solution produces results and I am testing them. I tried using the second one as well to test as well and it is giving error that <STRONG>mvmap</STRONG> is unsupported or undefined. I am&nbsp;@ Splunk Enterprise 7.x. Thanks.</P> Wed, 14 Oct 2020 16:16:34 GMT https://community.splunk.com/t5/Splunk-Search/Field-extraction-needed/m-p/524681#M147988 mbasharat 2020-10-14T16:16:34Z https://community.splunk.com/t5/Splunk-Search/Field-extraction-needed/m-p/524682#M147989 <P>There are a few things you can if you don't have mvmap</P><P>Include the space in the mvfind and trim the value found</P><LI-CODE lang="markup">| rex max_match=0 field=events "(\r|\n)*(?&lt;tag&gt;[^:]+):(?&lt;value&gt;[^\r\n]+)" | eval nessus=mvfind(tag,"Nessus version ") | eval nessusvalue=trim(mvindex(value,nessus))</LI-CODE><P>Compress " : " to ":" in the string before rex</P><LI-CODE lang="markup">| eval events=replace(events," : ",":") | rex max_match=0 field=events "(\r|\n)*(?&lt;tag&gt;[^:]+):(?&lt;value&gt;[^\r\n]+)" | eval nessus=mvfind(tag,"Nessus version") | eval nessusvalue=mvindex(value,nessus)</LI-CODE><P>&nbsp;</P> Wed, 14 Oct 2020 16:33:07 GMT https://community.splunk.com/t5/Splunk-Search/Field-extraction-needed/m-p/524682#M147989 ITWhisperer 2020-10-14T16:33:07Z https://community.splunk.com/t5/Splunk-Search/Field-extraction-needed/m-p/524686#M147992 <P>Perfect. Thank you!!!!</P> Wed, 14 Oct 2020 16:53:55 GMT https://community.splunk.com/t5/Splunk-Search/Field-extraction-needed/m-p/524686#M147992 mbasharat 2020-10-14T16:53:55Z