https://community.splunk.com/t5/Splunk-Search/Splunk-multiple-field-extraction/m-p/541108#M153177 <P>Try this:</P><LI-CODE lang="markup">| rex "job:'?(?&lt;job&gt;[^']+)'?,\srun:'?(?&lt;run&gt;\d+)'?" | rex "code:'(?&lt;code&gt;[^']+)'" | table job, run, code</LI-CODE><P>&nbsp;</P><P>&nbsp;If this reply helps you, an upvote/like would be appreciated.</P> Wed, 24 Feb 2021 04:46:06 GMT manjunathmeti 2021-02-24T04:46:06Z https://community.splunk.com/t5/Splunk-Search/Splunk-multiple-field-extraction/m-p/540517#M152923 <P>&nbsp;</P><P>&nbsp;I have the below Splunk Event &amp; need to extract multiple fields from the same :</P><P>&nbsp;</P><LI-CODE lang="markup">[TIMESTAMP=2021-02-19 12:16:30.684 UTC] [RUN_ID=] [TRACE_ID=] [STEP=End Processing] [LINE_NO=701] [LOG_LEVEL=TRACE] [MESSAGE=[ppv] [insert] Query completed , total 11 ms: [10 values] INSERT INTO errors (job,run,timestamp,count,alert,error,code,message,completets,active) VALUES (?,?,?,?,?,?,?,?,?,?); [job:'endcustomer--prod', run:'4569876', timestamp:1613736990530, count:200, alert:'failed after launch', error:'', code:'E302: Batch failed', message:'', completets:'', active:false]]</LI-CODE><P>&nbsp;</P><P>Expected Table Output :</P><TABLE border="1" width="100%"><TBODY><TR><TD width="33.333333333333336%">job</TD><TD width="33.333333333333336%">run</TD><TD width="33.333333333333336%">code</TD></TR><TR><TD width="33.333333333333336%">endcustomer--prod</TD><TD width="33.333333333333336%">4569876</TD><TD width="33.333333333333336%">E302: Batch failed</TD></TR></TBODY></TABLE><P>&nbsp;</P><P>I was able to pick some field like :</P><P>run\:\'(?&lt;run&gt;\w+)'</P><P><A href="https://regex101.com/r/q7NqQb/1" target="_blank" rel="noopener">https://regex101.com/r/q7NqQb/1</A></P><P>However, unable to extract all the three fields above. Any help is appreciated.</P> Fri, 19 Feb 2021 12:42:47 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-multiple-field-extraction/m-p/540517#M152923 ppatkar 2021-02-19T12:42:47Z https://community.splunk.com/t5/Splunk-Search/Splunk-multiple-field-extraction/m-p/540521#M152925 <P>hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/176812">@ppatkar</a>,<BR /><BR />Use rex command twice:<BR /><BR /></P><LI-CODE lang="markup">| rex "job:'(?&lt;job&gt;[^']+)',\srun:'(?&lt;run&gt;[^']+)" | rex "code:'(?&lt;code&gt;[^']+)'" | table job, run, code</LI-CODE><P>&nbsp;</P><P>If this reply helps you, an upvote/like would be appreciated.</P> Fri, 19 Feb 2021 12:54:15 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-multiple-field-extraction/m-p/540521#M152925 manjunathmeti 2021-02-19T12:54:15Z https://community.splunk.com/t5/Splunk-Search/Splunk-multiple-field-extraction/m-p/540983#M153128 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/129090">@manjunathmeti</a>&nbsp;</P><P>I have one followup to the earlier , in certain events I see truncated output like below :</P><P>&nbsp;</P><LI-CODE lang="markup">[TIMESTAMP=2021-02-19 12:16:30.684 UTC] [RUN_ID=] [TRACE_ID=] [STEP=End Processing] [LINE_NO=701] [LOG_LEVEL=TRACE] [MESSAGE=[ppv] [insert] Query completed , total 11 ms: [10 values] INSERT INTO errors (job,run,timestamp,count,alert,error,code,message,completets,active) VALUES (?,?,?,?,?,?,?,?,?,?); [job:'endcustomer--pr..[truncated output], run:4569876, timestamp:1613736990530, count:200, alert:'failed after launch', error:'', code:'E302: Batch failed', message:'', completets:'', active:false]]</LI-CODE><P>&nbsp;</P><P>This is causing my job to get derived as null . Can you please advise ?</P><P>&nbsp;</P> Wed, 24 Feb 2021 04:20:50 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-multiple-field-extraction/m-p/540983#M153128 ppatkar 2021-02-24T04:20:50Z https://community.splunk.com/t5/Splunk-Search/Splunk-multiple-field-extraction/m-p/541108#M153177 <P>Try this:</P><LI-CODE lang="markup">| rex "job:'?(?&lt;job&gt;[^']+)'?,\srun:'?(?&lt;run&gt;\d+)'?" | rex "code:'(?&lt;code&gt;[^']+)'" | table job, run, code</LI-CODE><P>&nbsp;</P><P>&nbsp;If this reply helps you, an upvote/like would be appreciated.</P> Wed, 24 Feb 2021 04:46:06 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-multiple-field-extraction/m-p/541108#M153177 manjunathmeti 2021-02-24T04:46:06Z https://community.splunk.com/t5/Splunk-Search/Splunk-multiple-field-extraction/m-p/541143#M153188 <P>All in on rex</P><P>&nbsp;</P><LI-CODE lang="markup">Your search | rex "job:'(?&lt;job&gt;[^']+)'. run:'(?&lt;run&gt;[^']+)'.*? code:'(?&lt;code&gt;[^']+)'" | table job run code</LI-CODE><P>&nbsp;</P> Wed, 24 Feb 2021 09:16:26 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-multiple-field-extraction/m-p/541143#M153188 jotne 2021-02-24T09:16:26Z