https://community.splunk.com/t5/Splunk-Search/Rex-multiple-strings-from-field-query/m-p/376583#M170417 <P>Morning all, </P> <P>I hope this is an easy one where i am just missing some login somewhere.</P> <P>I have a field called errors that houses data that looks like this:</P> <P>*<EM>Fieldname *</EM><BR /><BR /> errors</P> <P><STRONG>String</STRONG><BR /> 56005:16;69002:1;56009:3958</P> <P>This is indicating that a single event can incur multiple errors and i need to pull all the error codes separately (codes are always numerical and always 5 digits long). </P> <P>The colon and digits after indicate count volumes which are irrelevant and the delimiter is always a semi-colon.</P> <P>This seems quite an easy pull as the rex is simply "(\d\d\d\d\d):"</P> <P>However i can't get splunk to spit anything out at all (and ive tried lots of variations).</P> <P>Ideally i want to stats value the result by user so i end up with something like the below:</P> <P>user1 56005<BR /> 56002<BR /> 69009<BR /> User2 66095<BR /> 56077</P> <P>any ideas?:</P> Thu, 11 Jul 2019 07:19:48 GMT stephenreece 2019-07-11T07:19:48Z https://community.splunk.com/t5/Splunk-Search/Rex-multiple-strings-from-field-query/m-p/376583#M170417 <P>Morning all, </P> <P>I hope this is an easy one where i am just missing some login somewhere.</P> <P>I have a field called errors that houses data that looks like this:</P> <P>*<EM>Fieldname *</EM><BR /><BR /> errors</P> <P><STRONG>String</STRONG><BR /> 56005:16;69002:1;56009:3958</P> <P>This is indicating that a single event can incur multiple errors and i need to pull all the error codes separately (codes are always numerical and always 5 digits long). </P> <P>The colon and digits after indicate count volumes which are irrelevant and the delimiter is always a semi-colon.</P> <P>This seems quite an easy pull as the rex is simply "(\d\d\d\d\d):"</P> <P>However i can't get splunk to spit anything out at all (and ive tried lots of variations).</P> <P>Ideally i want to stats value the result by user so i end up with something like the below:</P> <P>user1 56005<BR /> 56002<BR /> 69009<BR /> User2 66095<BR /> 56077</P> <P>any ideas?:</P> Thu, 11 Jul 2019 07:19:48 GMT https://community.splunk.com/t5/Splunk-Search/Rex-multiple-strings-from-field-query/m-p/376583#M170417 stephenreece 2019-07-11T07:19:48Z https://community.splunk.com/t5/Splunk-Search/Rex-multiple-strings-from-field-query/m-p/376584#M170418 <P>current search = | rex field=errors "(?(\d\d\d\d\d):)"</P> Thu, 11 Jul 2019 07:29:47 GMT https://community.splunk.com/t5/Splunk-Search/Rex-multiple-strings-from-field-query/m-p/376584#M170418 stephenreece 2019-07-11T07:29:47Z https://community.splunk.com/t5/Splunk-Search/Rex-multiple-strings-from-field-query/m-p/376585#M170419 <P>this will give back the first rex entry only, so i need a way to reproduce and collect an unlimited amount of REX groups.. (each string may contain from 1 to 1000 codes).</P> Thu, 11 Jul 2019 07:41:39 GMT https://community.splunk.com/t5/Splunk-Search/Rex-multiple-strings-from-field-query/m-p/376585#M170419 stephenreece 2019-07-11T07:41:39Z https://community.splunk.com/t5/Splunk-Search/Rex-multiple-strings-from-field-query/m-p/376586#M170420 <P>@stephenreece </P> <P>Try</P> <PRE><CODE>|rex field=errors max_match=0 "(?&lt;Errors&gt;\d{5}):" </CODE></PRE> Thu, 11 Jul 2019 12:11:34 GMT https://community.splunk.com/t5/Splunk-Search/Rex-multiple-strings-from-field-query/m-p/376586#M170420 renjith_nair 2019-07-11T12:11:34Z