https://community.splunk.com/t5/Splunk-Search/Field-Extraction-from-Multi-line-raw-data/m-p/530198#M149801 <P>This regex is not working,</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Supriya_0-1605873631829.png" style="width: 661px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/12002iAAC8FFB4C4CF4F0F/image-dimensions/661x98?v=v2" width="661" height="98" role="button" title="Supriya_0-1605873631829.png" alt="Supriya_0-1605873631829.png" /></span></P><P>Could you please help me with the Line_Breaker</P> Fri, 20 Nov 2020 12:00:54 GMT Supriya 2020-11-20T12:00:54Z https://community.splunk.com/t5/Splunk-Search/Field-Extraction-from-Multi-line-raw-data/m-p/529325#M149481 <P>Hi,</P><P>I want to extract the fields Name, Version, VendorName, usesLicensing, LicenseType, ExpiractDateString, LicenseKey, SEN based on delimiter(:) from the below raw data</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Supriya_0-1605283541912.png" style="width: 791px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/11890i1EE2BC8350DF4DA7/image-dimensions/791x212?v=v2" width="791" height="212" role="button" title="Supriya_0-1605283541912.png" alt="Supriya_0-1605283541912.png" /></span></P><P>Could someone please help me with the query for field extraction.</P> Fri, 13 Nov 2020 16:09:31 GMT https://community.splunk.com/t5/Splunk-Search/Field-Extraction-from-Multi-line-raw-data/m-p/529325#M149481 Supriya 2020-11-13T16:09:31Z https://community.splunk.com/t5/Splunk-Search/Field-Extraction-from-Multi-line-raw-data/m-p/529343#M149486 <P>What have you tried so far?</P><P>It would help if you posted the sample event as text rather than a screenshot so we can test without having to re-type that hideous mess (no way I'm typing all of that).</P><P>Is the number of fields constant?&nbsp; How about the number of ":"s?&nbsp; We need something to key off of to find the values.</P> Fri, 13 Nov 2020 18:06:42 GMT https://community.splunk.com/t5/Splunk-Search/Field-Extraction-from-Multi-line-raw-data/m-p/529343#M149486 richgalloway 2020-11-13T18:06:42Z https://community.splunk.com/t5/Splunk-Search/Field-Extraction-from-Multi-line-raw-data/m-p/529482#M149543 <P>Thank you for your response!</P><P>The Query which I"m trying is:</P><P>index="index" source="E:\\Logs\\log.csv"|rename values(Date) as * | search Date="*:*"| mvexpand Date|<BR />eval&nbsp; Name=mvindex(split(Date,":"),0), Version=mvindex(split(Date,":"),1), VendorName=mvindex(split(Date,":"),2) |fields Name Version VendorName | table Name Version VendorName</P><P>The field names to extract are name, version, VendorName, usesLicensing, LicenseType, ExpiryDateString, LicenseKey, SEN</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Supriya_0-1605503559484.png" style="width: 706px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/11907iED7BF051FDDDCB94/image-dimensions/706x113?v=v2" width="706" height="113" role="button" title="Supriya_0-1605503559484.png" alt="Supriya_0-1605503559484.png" /></span></P><P>But I'm to extract only one row from the below Event</P><P>&nbsp;</P><P>Event Data:(having multiple rows in&nbsp; single event)</P><P>"name":"version":"VendorName":"usesLicensing":"LicenseType":"ExpiryDateString":"LicenseKey":"SEN"<BR />"Atlassian Troubleshooting and Support Tools":"1.24.1":"Atlassian":"False"::::<BR />"Confluence Cloud Migration Assistant":"2.5.1":"Atlassian":"False"::::<BR />"Copy Space Plugin":"2.3":"Atlassian":"False"::::<BR />"SAML Single Sign On for Confluence":"3.5.3":"re:solution":"True":"COMMERCIAL"::"AAABbQ0ODAoPeNqVkV9rwjAUxd/zKQJ70QdL63T+gcKkFiZTO1a3p73cdbc1mKblJpG5T7+0VuYeL<BR />YSQe5LfPef2bmeRLzHjwYT707k/mvszHqU7PvSDGdva8hMpyd80kg4D331siTojURtRqTBdbNY8F<BR />aqQ6LZC8UTxXpomfR5VKpcWVYY8r+j62EuRjkh93uJ4i/6YuxtliZQJkHwtMlQaWUQITZslGAwbP<BR />4NgOAimzMEMZGYLJYZrewD9w/kzHCp5UeINCBnKVvIOjfK4R6HwgMrLqpLFR5C2RYc5SNfJFT1CX<BR />UnbFD0wEnQtbSGU9jSUUuvK+4vguRbiiKEhi0yezb67FA1veCsrNUAGqTPijCuDCpwSf9eCTl32o<BR />d9mn7CEClBCn80/daH4yj0i1RZBsjTehm4NgvH9eDIePbBuoFdEq6QohcGvi7Y71dgONEo2m/g1W<BR />i3WtybBxkRNQneTebGU7UHj/983Yb/LuNtnMCwCFHR9orCqkZtBlrvqerjNLSnZ71C4AhQQjh4x1<BR />1O2SMKZihnj4mbQ2jX+bw==X02ht":"SEN-15357546"<BR />"SAMLWrapper-Plugin":"3.5.3":"re:solution":"False"::::<BR />"Team Calendars":"6.0.49":"Atlassian Pty Ltd":"True":"COMMERCIAL"::"AAABTg0ODAoPeNpdkF9LwzAUxd/zKQK+6MNGWwZdBwGlKzjcH3HVJ0Gu2a0LTdNykwz105t2FXSBv<BR />Nyc/O4556r0yJcoeZzyaL6IZoso4/m+5EkUZ2yJVpLqnGqNKBEanoNGcwCyvGqJ562ptEcjkV/vk<BR />U5INzyOwuHPFsm+LoKiaZCkAs3XSqKxyLa+eUfaVYNEDHLmAvtN/rKnaBxSR8qicOSR5YTQe1iCQ<BR />9Ebm8TJJJ6zsN+BdFtoUKx9Dfab8weoW30JDCJ1GmEXT3sHFLaJCnQwNxKLDSgt9ICc1j3x9ojKY<BR />I1mKtuGFSfQfrA0/tPncC8hUj9MWACEEAZCN8Vnp+hr9J5Eg/f00sbYTvnV4RAn3202xVO+uluzH<BR />X2AUfa87n60wVd9R2YYgmb7YivCnczTLEtmMzbi/qz2RqtGOTywR0/yCBb/t5myH9wCtHUwLgIVA<BR />I9H5o1K8FkD5GzwxpwvJeR1NEfQAhUAkR4yfmoZx9KvHtEXWsZQ8+8qaAM=X02gk":"SEN-8799244"<BR />"techradar":"1.1":"it-economics GmbH":"False"::::</P> Mon, 16 Nov 2020 05:13:56 GMT https://community.splunk.com/t5/Splunk-Search/Field-Extraction-from-Multi-line-raw-data/m-p/529482#M149543 Supriya 2020-11-16T05:13:56Z https://community.splunk.com/t5/Splunk-Search/Field-Extraction-from-Multi-line-raw-data/m-p/529483#M149544 <P>In a single event, I have multiple rows,</P><P>(having 7 colons (:) )for each row</P> Mon, 16 Nov 2020 01:11:14 GMT https://community.splunk.com/t5/Splunk-Search/Field-Extraction-from-Multi-line-raw-data/m-p/529483#M149544 Supriya 2020-11-16T01:11:14Z https://community.splunk.com/t5/Splunk-Search/Field-Extraction-from-Multi-line-raw-data/m-p/529559#M149572 <P>Consider onboarding the data as CSV (Colon-Separated Value) so Splunk handles the field extraction for you.</P><P>If you want to do it yourself then this regex should do it.</P><LI-CODE lang="markup">"(?&lt;name&gt;[^"]+)":"(?&lt;version&gt;[^"]+)":"(?&lt;VendorName&gt;[^"]+)":"(?&lt;usesLicensing&gt;[^"]+)":(?:"(?&lt;LicenseType&gt;[^"]*)")?:(?:"(?&lt;ExpiryDateString&gt;[^"]*)")?:(?:"(?&lt;LicenseKey&gt;[^"]*)")?:(?:"(?&lt;SEN&gt;[^"]*)")?</LI-CODE> Mon, 16 Nov 2020 15:21:26 GMT https://community.splunk.com/t5/Splunk-Search/Field-Extraction-from-Multi-line-raw-data/m-p/529559#M149572 richgalloway 2020-11-16T15:21:26Z https://community.splunk.com/t5/Splunk-Search/Field-Extraction-from-Multi-line-raw-data/m-p/530198#M149801 <P>This regex is not working,</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Supriya_0-1605873631829.png" style="width: 661px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/12002iAAC8FFB4C4CF4F0F/image-dimensions/661x98?v=v2" width="661" height="98" role="button" title="Supriya_0-1605873631829.png" alt="Supriya_0-1605873631829.png" /></span></P><P>Could you please help me with the Line_Breaker</P> Fri, 20 Nov 2020 12:00:54 GMT https://community.splunk.com/t5/Splunk-Search/Field-Extraction-from-Multi-line-raw-data/m-p/530198#M149801 Supriya 2020-11-20T12:00:54Z https://community.splunk.com/t5/Splunk-Search/Field-Extraction-from-Multi-line-raw-data/m-p/530210#M149807 <P>When that regex is used in the rex command the embedded quotation marks must be escaped, like this:</P><LI-CODE lang="markup">"(?&lt;name&gt;[^\\\"]+)\\\":\\\"(?&lt;version&gt;[^\\\"]+)\\\":\\\"(?&lt;VendorName&gt;[^\\\"]+)\\\":\\\"(?&lt;usesLicensing&gt;[^\\\"]+)\\\":(?:\\\"(?&lt;LicenseType&gt;[^\\\"]*)\\\")?:(?:\\\"(?&lt;ExpiryDateString&gt;[^\\\"]*)\\\")?:(?:\\\"(?&lt;LicenseKey&gt;[^\\\"]*)\\\")?:(?:\\\"(?&lt;SEN&gt;[^\\\"]*)\\\")?</LI-CODE><P>What LINE_BREAKER?&nbsp; This is the first mention of that.&nbsp; Please post a new question about it.</P> Fri, 20 Nov 2020 14:10:20 GMT https://community.splunk.com/t5/Splunk-Search/Field-Extraction-from-Multi-line-raw-data/m-p/530210#M149807 richgalloway 2020-11-20T14:10:20Z