https://community.splunk.com/t5/Splunk-Search/Table-view/m-p/394245#M190822 <P>Hi Guys in splunk i need to create a report . i am trying to create a table with two columns please find the search key below </P> <P>messageTypeKey=CM0001 ,disQualificationMessage=Cancelled by validation rules. SafeTimeNoPhoneHasNoEmail <BR /> Table messageTypeKey,disQualificationMessage </P> <P>i need the message key and disqualification message <BR /> but the table looks like <BR /> CM0001 Cancelled </P> <P>the message after the Cancelled is not appending <BR /> i need some suggestions on this <BR /> thanks in advance</P> Mon, 22 Jul 2019 14:17:38 GMT venkat0896 2019-07-22T14:17:38Z https://community.splunk.com/t5/Splunk-Search/Table-view/m-p/394245#M190822 <P>Hi Guys in splunk i need to create a report . i am trying to create a table with two columns please find the search key below </P> <P>messageTypeKey=CM0001 ,disQualificationMessage=Cancelled by validation rules. SafeTimeNoPhoneHasNoEmail <BR /> Table messageTypeKey,disQualificationMessage </P> <P>i need the message key and disqualification message <BR /> but the table looks like <BR /> CM0001 Cancelled </P> <P>the message after the Cancelled is not appending <BR /> i need some suggestions on this <BR /> thanks in advance</P> Mon, 22 Jul 2019 14:17:38 GMT https://community.splunk.com/t5/Splunk-Search/Table-view/m-p/394245#M190822 venkat0896 2019-07-22T14:17:38Z https://community.splunk.com/t5/Splunk-Search/Table-view/m-p/394246#M190823 <P>Hi</P> <P>Can you provide your query with sample events?</P> Mon, 22 Jul 2019 14:57:15 GMT https://community.splunk.com/t5/Splunk-Search/Table-view/m-p/394246#M190823 vnravikumar 2019-07-22T14:57:15Z https://community.splunk.com/t5/Splunk-Search/Table-view/m-p/394247#M190824 <P>source=" " status="Cancelled" | table messageTypeKey,disQualificationMessage</P> Mon, 22 Jul 2019 15:25:07 GMT https://community.splunk.com/t5/Splunk-Search/Table-view/m-p/394247#M190824 venkat0896 2019-07-22T15:25:07Z https://community.splunk.com/t5/Splunk-Search/Table-view/m-p/394248#M190825 <P>Hi @venkat0896,</P> <P>This makes total sense because you are allowing splunk to auto-extract the field. </P> <P>By default the extraction that happens is KV which means key-value and in the case of <CODE>disQualificationMessage=Cancelled by validation rules</CODE>the value is only <CODE>Cancelled</CODE> and not the entire message.</P> <P>What you will need to do is extract a new field matching exactly what you want to have in the disqualification message. If in your case you need "Cancelled by validation rules. " then you can use the following regex for the extraction :</P> <PRE><CODE>disQualificationMessage\=(?&lt;disQualificationMessage&gt;[^\.]+) </CODE></PRE> <P>You can use this run anywhere search to test it out:</P> <PRE><CODE>| makeresults | eval A="messageTypeKey=CM0001 ,disQualificationMessage=Cancelled by validation rules. SafeTimeNoPhoneHasNoEmail" | rex field=A "disQualificationMessage\=(?&lt;disQualificationMessage&gt;[^\.]+)" </CODE></PRE> <P>Try this for the search in your comment:</P> <PRE><CODE>source=" " status="Cancelled" | rex field=_raw "disQualificationMessage\=(?&lt;disQualificationMessage&gt;[^\.]+)"| table messageTypeKey,disQualificationMessage </CODE></PRE> <P>Cheers,<BR /> David</P> Mon, 22 Jul 2019 15:28:42 GMT https://community.splunk.com/t5/Splunk-Search/Table-view/m-p/394248#M190825 DavidHourani 2019-07-22T15:28:42Z https://community.splunk.com/t5/Splunk-Search/Table-view/m-p/394249#M190826 <P>@venkat0896 you can use regular expression to perform field extraction as per your needs. Try the following rex command:</P> <PRE><CODE>| rex "disQualificationMessage=(?&lt;disQualificationMessage&gt;[^\.]+)\.\sSafeTimeNoPhoneHasNoEmail" </CODE></PRE> <P>Following is a run anywhere example based on your sample data:</P> <PRE><CODE>| makeresults | eval _raw="messageTypeKey=CM0001 ,disQualificationMessage=Cancelled by validation rules. SafeTimeNoPhoneHasNoEmail" | rex "disQualificationMessage=(?&lt;disQualificationMessage&gt;[^\.]+)\.\sSafeTimeNoPhoneHasNoEmail" </CODE></PRE> Mon, 22 Jul 2019 15:28:57 GMT https://community.splunk.com/t5/Splunk-Search/Table-view/m-p/394249#M190826 niketn 2019-07-22T15:28:57Z