https://community.splunk.com/t5/Splunk-Search/How-can-I-extract-multiple-fields-and-values-from-the-following/m-p/379688#M166706 <P>That actually seems to work </P> <P>There are still blanks in the output which is likely caused by the raw data within the same 'section' that contains e.g. s3://xxxx or https:// , so these are also seen as 'pairs' ...</P> <P>Is there a way exclude them from the output?</P> <P>Now they have no value </P> Thu, 08 Nov 2018 08:55:06 GMT edwinmae 2018-11-08T08:55:06Z https://community.splunk.com/t5/Splunk-Search/How-can-I-extract-multiple-fields-and-values-from-the-following/m-p/379686#M166704 <P>I have raw information as follows: Two times Kaspersky output within one 'section'</P> <P>------------------------------------------------------------ snip of one section --------------------------------------------------------------------</P> <P>08/11/2018<BR /> 07:43:58.000<BR /><BR /> kaspersky output: <BR /> Scanned objects : 19<BR /> Total detected objects : 0<BR /> Infected and other objects : 0<BR /> Disinfected objects : 0<BR /> Moved to backup : 0<BR /> Removed objects : 0<BR /> Not disinfected objects : 0<BR /> Scan errors : 0<BR /> Corrupted objects : 0<BR /> Password protected objects : 0<BR /> Skipped : 0</P> <P><EM>Between the above/below output are many lines with all kind of information that is not really relevant</EM> </P> <P>kaspersky output: <BR /> Scanned objects : 1<BR /> Total detected objects : 0<BR /> Infected and other objects : 0<BR /> Disinfected objects : 0<BR /> Moved to backup : 0 <BR /> Removed objects : 0<BR /> Not disinfected objects : 0<BR /> Scan errors : 0<BR /> Corrupted objects : 0<BR /> Password protected objects : 0<BR /> Skipped : 0</P> <P><EM>And then there are many lines in the bottom that is not really relevant as well</EM></P> <P>------------------------------------------------------------ snip of one section --------------------------------------------------------------------</P> <P>Target is to have e.g. a time table with the values of each line, e.g. field value would be e.g. "Scanned objects" and its value would be 19 and 1 (in this case) <EM>-- and then similar approach for all the other lines --</EM></P> <P>I tried to extract the fields using the Regular Expression, but it seems it does not select every value (of e.g. Scanned objects), meaning I have blanks in the output itself </P> <P>Please advise how to actually get this done</P> Thu, 08 Nov 2018 08:00:30 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-extract-multiple-fields-and-values-from-the-following/m-p/379686#M166704 edwinmae 2018-11-08T08:00:30Z https://community.splunk.com/t5/Splunk-Search/How-can-I-extract-multiple-fields-and-values-from-the-following/m-p/379687#M166705 <P>Hi @edwinmae,<BR /> try kv extraction below-</P> <PRE><CODE>....|kv mv_add=true pairdelim="\r\n",kvdelim=":" </CODE></PRE> <P>It will separate key value pair</P> Thu, 08 Nov 2018 08:10:38 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-extract-multiple-fields-and-values-from-the-following/m-p/379687#M166705 493669 2018-11-08T08:10:38Z https://community.splunk.com/t5/Splunk-Search/How-can-I-extract-multiple-fields-and-values-from-the-following/m-p/379688#M166706 <P>That actually seems to work </P> <P>There are still blanks in the output which is likely caused by the raw data within the same 'section' that contains e.g. s3://xxxx or https:// , so these are also seen as 'pairs' ...</P> <P>Is there a way exclude them from the output?</P> <P>Now they have no value </P> Thu, 08 Nov 2018 08:55:06 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-extract-multiple-fields-and-values-from-the-following/m-p/379688#M166706 edwinmae 2018-11-08T08:55:06Z https://community.splunk.com/t5/Splunk-Search/How-can-I-extract-multiple-fields-and-values-from-the-following/m-p/379689#M166707 <P>you can remove fields using</P> <PRE><CODE>|fields - &lt;fieldname&gt; </CODE></PRE> Thu, 08 Nov 2018 09:14:09 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-extract-multiple-fields-and-values-from-the-following/m-p/379689#M166707 493669 2018-11-08T09:14:09Z