https://community.splunk.com/t5/Splunk-Search/Multiple-values-field-extraction-with-colon-delimiter/m-p/544218#M154156 <P>Hi ,</P><P>use the below regex.</P><P>| rex "=(?&lt;error_code&gt;\d{3}.\w+.\w+.\d{3})"&nbsp; max_match=10</P> Wed, 17 Mar 2021 15:25:50 GMT Vardhan 2021-03-17T15:25:50Z https://community.splunk.com/t5/Splunk-Search/Multiple-values-field-extraction-with-colon-delimiter/m-p/544202#M154151 <P>Hi all,<BR />i have been trying to extract error code which is alphanumeric and is delimited as per below but not able to extract with the rex due to the unstructured fields, will there be any way to extract this fields to do a timechart on the error codes.any help pls</P><P>sample piece of log<BR /><SPAN class="t">error=30578910//=404.EBS.SYSTEM.101:6NAHKFZA//=404.IMS.SERVERIN.103:2GSO0LPT//=404.IES.SERVER.105:5X3HSH18M//=404.IES.SERVEROUT.105</SPAN><SPAN>,</SPAN><SPAN class="t">missingFulfillmentItems</SPAN></P><P>required output&nbsp;</P><P>404.EBS.SYSTEM.101</P><P>404.IMS.SERVERIN.103</P><P>404.IES.SERVER.105</P><P>404.IES.SERVEROUT.105</P> Wed, 17 Mar 2021 14:15:37 GMT https://community.splunk.com/t5/Splunk-Search/Multiple-values-field-extraction-with-colon-delimiter/m-p/544202#M154151 kumar497 2021-03-17T14:15:37Z https://community.splunk.com/t5/Splunk-Search/Multiple-values-field-extraction-with-colon-delimiter/m-p/544206#M154152 <PRE>| rex max_match=1000 "(?://=(?[^:,]+))"<BR />| table _time, error_code</PRE><P>Output:</P><TABLE width="265px"><TBODY><TR><TD width="75px" height="25px">_time</TD><TD width="190px" height="25px">error_code</TD></TR><TR><TD width="75px" height="91px">2021-03-17 14:23:41</TD><TD width="190px" height="91px"><DIV class="multivalue-subcell">404.EBS.SYSTEM.101</DIV><DIV class="multivalue-subcell">404.IMS.SERVERIN.103</DIV><DIV class="multivalue-subcell">404.IES.SERVER.105</DIV><DIV class="multivalue-subcell">404.IES.SERVEROUT.105</DIV></TD></TR></TBODY></TABLE> Wed, 17 Mar 2021 14:28:56 GMT https://community.splunk.com/t5/Splunk-Search/Multiple-values-field-extraction-with-colon-delimiter/m-p/544206#M154152 peter_krammer 2021-03-17T14:28:56Z https://community.splunk.com/t5/Splunk-Search/Multiple-values-field-extraction-with-colon-delimiter/m-p/544216#M154155 <P>thanks&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/78311">@peter_krammer</a>&nbsp; for the response, but when appending to the search giving an error and also tried in the regex101.com which seems having an issue with grouping the structure,sorry if i missed anything<BR /><BR /><SPAN>Error in 'rex' command: Encountered the following error while compiling the regex '(?://=(?[^:,]+))': Regex: unrecognized character after (? or (?-.</SPAN></P> Wed, 17 Mar 2021 15:17:00 GMT https://community.splunk.com/t5/Splunk-Search/Multiple-values-field-extraction-with-colon-delimiter/m-p/544216#M154155 kumar497 2021-03-17T15:17:00Z https://community.splunk.com/t5/Splunk-Search/Multiple-values-field-extraction-with-colon-delimiter/m-p/544218#M154156 <P>Hi ,</P><P>use the below regex.</P><P>| rex "=(?&lt;error_code&gt;\d{3}.\w+.\w+.\d{3})"&nbsp; max_match=10</P> Wed, 17 Mar 2021 15:25:50 GMT https://community.splunk.com/t5/Splunk-Search/Multiple-values-field-extraction-with-colon-delimiter/m-p/544218#M154156 Vardhan 2021-03-17T15:25:50Z https://community.splunk.com/t5/Splunk-Search/Multiple-values-field-extraction-with-colon-delimiter/m-p/544224#M154157 <P>Thanks&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/232459">@Vardhan</a>&nbsp; it helps</P> Wed, 17 Mar 2021 15:55:03 GMT https://community.splunk.com/t5/Splunk-Search/Multiple-values-field-extraction-with-colon-delimiter/m-p/544224#M154157 kumar497 2021-03-17T15:55:03Z