https://community.splunk.com/t5/Splunk-Search/field-extraction/m-p/552738#M156899 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225135">@vinod0313</a>&nbsp;,</P><P>You could try with the rex command and the following regex for instance:</P><LI-CODE lang="markup">| rex "in (?&lt;value&gt;[\d\,\.]+) milliseconds$"</LI-CODE><P>&nbsp;</P><P>Let me know if that helps.</P><P>&nbsp;</P><P>Regards,</P><P>J</P><P>&nbsp;</P><P>&nbsp;</P> Mon, 24 May 2021 09:53:09 GMT javiergn 2021-05-24T09:53:09Z https://community.splunk.com/t5/Splunk-Search/field-extraction/m-p/552730#M156898 <P>I have&nbsp; logs like below&nbsp;<BR />findContractsByPersonId(String) executed in 463 milliseconds<BR />findContractsByPersonId(String) executed in 4,681 milliseconds<BR />findContractsByPersonId(String) executed in 3,671 milliseconds<BR />findContractsByPersonId(String) executed in 681 milliseconds<BR /><BR />and i want to create a field which will give values from log like below<BR />463<BR />4,681<BR />3,671<BR />681<BR /><BR />i did filed extraction with below log<BR />findContractsByPersonId(String) executed in 463 milliseconds<BR /><BR />i am able to create filed but i can only get non coma separated values, i mean i am getting only&nbsp;<BR />463<BR />681 values<BR />i am not getting coma included values (those are&nbsp;4,681 and&nbsp;3,671)<BR />could you please suggest in order to get all the values (comma included values also)<BR /><BR /><BR /></P> Mon, 24 May 2021 09:35:19 GMT https://community.splunk.com/t5/Splunk-Search/field-extraction/m-p/552730#M156898 vinod0313 2021-05-24T09:35:19Z https://community.splunk.com/t5/Splunk-Search/field-extraction/m-p/552738#M156899 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225135">@vinod0313</a>&nbsp;,</P><P>You could try with the rex command and the following regex for instance:</P><LI-CODE lang="markup">| rex "in (?&lt;value&gt;[\d\,\.]+) milliseconds$"</LI-CODE><P>&nbsp;</P><P>Let me know if that helps.</P><P>&nbsp;</P><P>Regards,</P><P>J</P><P>&nbsp;</P><P>&nbsp;</P> Mon, 24 May 2021 09:53:09 GMT https://community.splunk.com/t5/Splunk-Search/field-extraction/m-p/552738#M156899 javiergn 2021-05-24T09:53:09Z https://community.splunk.com/t5/Splunk-Search/field-extraction/m-p/552744#M156901 <P>Thanks&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/113132">@javiergn</a>&nbsp;<BR />it worked.</P> Mon, 24 May 2021 10:11:45 GMT https://community.splunk.com/t5/Splunk-Search/field-extraction/m-p/552744#M156901 vinod0313 2021-05-24T10:11:45Z https://community.splunk.com/t5/Splunk-Search/field-extraction/m-p/552755#M156905 <P>HI&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/113132">@javiergn</a>&nbsp;<BR /><BR />is there any chance we can disply the result without comma.As of now we are getting 2,061 but i want as 2061(comma should not be in the result)</P> Mon, 24 May 2021 11:20:05 GMT https://community.splunk.com/t5/Splunk-Search/field-extraction/m-p/552755#M156905 vinod0313 2021-05-24T11:20:05Z https://community.splunk.com/t5/Splunk-Search/field-extraction/m-p/552766#M156907 <P>Yes, you can use the rex command again with the mode=sed to remove the comma. Assuming your field name is "value" it would be something like:</P><LI-CODE lang="markup">| rex field=value mode=sed "s/\,//g"</LI-CODE><P>&nbsp;</P><P>If that worked for you please don't forget to upvote the answer so that others can benefit from it.</P><P>Regards,</P><P>J</P> Mon, 24 May 2021 12:21:25 GMT https://community.splunk.com/t5/Splunk-Search/field-extraction/m-p/552766#M156907 javiergn 2021-05-24T12:21:25Z