topic Re: Field Extraction from complex events in Splunk Search https://community.splunk.com/t5/Splunk-Search/Field-Extraction-from-complex-events/m-p/577180#M201144 <BLOCKQUOTE><HR />Event 1 doesn't have the TRANSACTIONCODE field, but Event 2 does. These types of missing fields/field values coursing issues doing field extraction<HR /></BLOCKQUOTE><P>As noted in my previous message, ad hoc rex often suffer from inflexibility. &nbsp;This is one big reason to leverage builtin functions that complies with structured data types. &nbsp;I hope that the client will double your pay the next time they have some data that don't fit the existing code.</P><P>Yes, you can work around these conditions by crafting PCRE more carefully. &nbsp; For example, if the order of &nbsp;fields in the XML is absolutely certain, i.e., TRANSACTIONCODE always appear in between SRCADDR and RETURNCODE, you can use&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">(\\\u003cTRANSACTIONCODE\\\u003e(?&lt;TRANSACTIONCODE&gt;[^\\\]+)\\\u003c/TRANSACTIONCODE\\\u003e){0,1}</LI-CODE><P>&nbsp;</P><P>to signify that &lt;TRANSACTIONCODE&gt;***&lt;/TRANSACTIONCODE&gt; may appear 0 times or 1 time in between those two fields. NOTE here I surmise that you made a typo in the second sample event by closing TRANSACTIONCODE tag with&nbsp;<SPAN><EM>\003xy</EM> instead of expected <U>\u003e</U>&nbsp;(&gt;).</SPAN></P><P><SPAN>However, XML does not require fields to appear in any given order. &nbsp;So, there is no guarantee. &nbsp;If you must use rex, most people would do multiple extractions, one for each tag. &nbsp;This is also a better way to avoid the problem caused by fields appearing in some events but not others. &nbsp;For example, use</SPAN></P><P>&nbsp;</P><LI-CODE lang="markup">\\\u003cEVENTID\\\u003e(?&lt;EVENTID&gt;[^\\\]+)</LI-CODE><P>&nbsp;</P><P>to extract EVENTID, then use</P><P>&nbsp;</P><LI-CODE lang="markup">\\\u003cEVENTTYPE\\\u003e(?&lt;EVENTTYPE&gt;[^\\\]+)</LI-CODE><P>&nbsp;</P><P>to extract EVENTTYPE, and so on. &nbsp;No need to use (expr){0,1} because if the simple expression doesn't match, that field simply will not be extracted. (Even these singular field extractions may not work in all conditions. &nbsp; For one, there is no requirement for XML tags to have brackets immediately bound field name. &nbsp;For example, there can be any number of elements, blanks, line breaks, optional declarations, etc., between EVENTID and "&lt;" or "&gt;".)</P><P>This said, if you want to use fixed order, here is a construct that can extract both sample events.</P><P>&nbsp;</P><LI-CODE lang="markup">| makeresults count=2 | streamstats count | eval _raw = if(count==1,"{\"log\":\"\u001b[0m\u001b[0m05:14:09,516 INFO [stdout] (default task-4193) 2021-12-02 05:14:09,516 INFO [tltest.logging.TltestEventWriter] \u003cMODTRANSAUDTRL\u003e\u003cEVENTID\u003e1210VIEW\u003c/EVENTID\u003e\u003cEVENTTYPE\u003eDATA_INTERACTION\u003c/EVENTTYPE\u003e\u003cSRCADDR\u003e192.131.8.1\u003c/SRCADDR\u003e\u003cRETURNCODE\u003e00\u003c/RETURNCODE\u003e\u003cSESSIONID\u003etfYU4-AEPnEzZg\u003c/SESSIONID\u003e\u003cSYSTEM\u003eTLCATS\u003c/SYSTEM\u003e\u003cTIMESTAMP\u003e20211202051409\u003c/TIMESTAMP\u003e\u003cUSERID\u003eAX3BLNB\u003c/USERID\u003e\u003cUSERTYPE\u003eAdmin\u003c/USERTYPE\u003e\u003cVARDATA\u003eCASE NUMBER, CASE NAME;052014011348000,BANTAM LLC\u003c/VARDATA\u003e\u003c/MODTRANSAUDTRL\u003e\n\",\"stream\":\"stdout\",\"time\":\"2021-12-02T05:14:09.517228451Z\"}", "{\"log\":\"\u001b[0m\u001b[0m05:14:09,516 INFO [stdout] (default task-4193) 2021-12-02 06:14:09,516 INFO [tltest.logging.TltestEventWriter] \u003cMODTRANSAUDTRL\u003e\u003cEVENTID\u003e1210VIEW\u003c/EVENTID\u003e\u003cEVENTTYPE\u003eDATA_INTERACTION\u003c/EVENTTYPE\u003e\u003cSRCADDR\u003e192.131.8.1\u003c/SRCADDR\u003e\u003cTRANSACTIONCODE\u003e192.131.8.1\u003c/TRANSACTIONCODE\u003e\u003cRETURNCODE\u003e00\u003c/RETURNCODE\u003e\u003cSESSIONID\u003etfYU4-AEPnEzZg\u003c/SESSIONID\u003e\u003cSYSTEM\u003eTLCATS\u003c/SYSTEM\u003e\u003cTIMESTAMP\u003e20211202051409\u003c/TIMESTAMP\u003e\u003cUSERID\u003eAX3BLNB\u003c/USERID\u003e\u003cUSERTYPE\u003eAdmin\u003c/USERTYPE\u003e\u003cVARDATA\u003eCASE NUMBER, CASE NAME;052014011348000,BANTAM LLC\u003c/VARDATA\u003e\u003c/MODTRANSAUDTRL\u003e\n\",\"stream\":\"stdout\",\"time\":\"2021-12-02T05:14:09.517228451Z\"}") | rex "\\\u003cEVENTID\\\u003e(?&lt;EVENTID&gt;[^\\\]+)\\\u003c/EVENTID\\\u003e\\\u003cEVENTTYPE\\\u003e(?&lt;EVENTTYPE&gt;[^\\\]+)\\\u003c/EVENTTYPE\\\u003e\\\u003cSRCADDR\\\u003e(?&lt;SRCADDR&gt;[^\\\]+)\\\u003c/SRCADDR\\\u003e(\\\u003cTRANSACTIONCODE\\\u003e(?&lt;TRANSACTIONCODE&gt;[^\\\]+)\\\u003c/TRANSACTIONCODE\\\u003e){0,1}\\\u003cRETURNCODE\\\u003e(?&lt;RETURNCODE&gt;[^\\\]+)\\\u003c/RETURNCODE\\\u003e\\\u003cSESSIONID\\\u003e(?&lt;SESSIONID&gt;[^\\\]+)\\\u003c/SESSIONID\\\u003e\\\u003cSYSTEM\\\u003e(?&lt;SYSTEM&gt;[^\\\]+)\\\u003c/SYSTEM\\\u003e\\\u003cTIMESTAMP\\\u003e(?&lt;TIMESTAMP&gt;[^\\\]+)\\\u003c/TIMESTAMP\\\u003e\\\u003cUSERID\\\u003e(?&lt;USERID&gt;[^\\\]+)\\\u003c/USERID\\\u003e\\\u003cUSERTYPE\\\u003e(?&lt;USERTYPE&gt;[^\\\]+)\\\u003c/USERTYPE\\\u003e\\\u003cVARDATA\\\u003e(?&lt;VARDATA&gt;[^\\\]+)"</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><TABLE><TBODY><TR><TD>EVENTID</TD><TD>EVENTTYPE</TD><TD>RETURNCODE</TD><TD>SESSIONID</TD><TD>SRCADDR</TD><TD>SYSTEM</TD><TD>TIMESTAMP</TD><TD>TRANSACTIONCODE</TD><TD>USERID</TD><TD>USERTYPE</TD><TD>VARDATA</TD><TD>_raw</TD><TD>_time</TD><TD>count</TD></TR><TR><TD>1210VIEW</TD><TD>DATA_INTERACTION</TD><TD>00</TD><TD>tfYU4-AEPnEzZg</TD><TD>192.131.8.1</TD><TD>TLCATS</TD><TD>20211202051409</TD><TD>&nbsp;</TD><TD>AX3BLNB</TD><TD>Admin</TD><TD>CASE NUMBER, CASE NAME;052014011348000,BANTAM LLC</TD><TD>{"log":"\u001b[0m\u001b[0m05:14:09,516 INFO [stdout] (default task-4193) 2021-12-02 05:14:09,516 INFO [tltest.logging.TltestEventWriter] \u003cMODTRANSAUDTRL\u003e\u003cEVENTID\u003e1210VIEW\u003c/EVENTID\u003e\u003cEVENTTYPE\u003eDATA_INTERACTION\u003c/EVENTTYPE\u003e\u003cSRCADDR\u003e192.131.8.1\u003c/SRCADDR\u003e\u003cRETURNCODE\u003e00\u003c/RETURNCODE\u003e\u003cSESSIONID\u003etfYU4-AEPnEzZg\u003c/SESSIONID\u003e\u003cSYSTEM\u003eTLCATS\u003c/SYSTEM\u003e\u003cTIMESTAMP\u003e20211202051409\u003c/TIMESTAMP\u003e\u003cUSERID\u003eAX3BLNB\u003c/USERID\u003e\u003cUSERTYPE\u003eAdmin\u003c/USERTYPE\u003e\u003cVARDATA\u003eCASE NUMBER, CASE NAME;052014011348000,BANTAM LLC\u003c/VARDATA\u003e\u003c/MODTRANSAUDTRL\u003e\n","stream":"stdout","time":"2021-12-02T05:14:09.517228451Z"}</TD><TD>2021-12-02 23:20:29</TD><TD>1</TD></TR><TR><TD>1210VIEW</TD><TD>DATA_INTERACTION</TD><TD>00</TD><TD>tfYU4-AEPnEzZg</TD><TD>192.131.8.1</TD><TD>TLCATS</TD><TD>20211202051409</TD><TD>192.131.8.1</TD><TD>AX3BLNB</TD><TD>Admin</TD><TD>CASE NUMBER, CASE NAME;052014011348000,BANTAM LLC</TD><TD>{"log":"\u001b[0m\u001b[0m05:14:09,516 INFO [stdout] (default task-4193) 2021-12-02 06:14:09,516 INFO [tltest.logging.TltestEventWriter] \u003cMODTRANSAUDTRL\u003e\u003cEVENTID\u003e1210VIEW\u003c/EVENTID\u003e\u003cEVENTTYPE\u003eDATA_INTERACTION\u003c/EVENTTYPE\u003e\u003cSRCADDR\u003e192.131.8.1\u003c/SRCADDR\u003e\u003cTRANSACTIONCODE\u003e192.131.8.1\u003c/TRANSACTIONCODE\u003e\u003cRETURNCODE\u003e00\u003c/RETURNCODE\u003e\u003cSESSIONID\u003etfYU4-AEPnEzZg\u003c/SESSIONID\u003e\u003cSYSTEM\u003eTLCATS\u003c/SYSTEM\u003e\u003cTIMESTAMP\u003e20211202051409\u003c/TIMESTAMP\u003e\u003cUSERID\u003eAX3BLNB\u003c/USERID\u003e\u003cUSERTYPE\u003eAdmin\u003c/USERTYPE\u003e\u003cVARDATA\u003eCASE NUMBER, CASE NAME;052014011348000,BANTAM LLC\u003c/VARDATA\u003e\u003c/MODTRANSAUDTRL\u003e\n","stream":"stdout","time":"2021-12-02T05:14:09.517228451Z"}</TD><TD>2021-12-02 23:20:29</TD><TD>2</TD></TR></TBODY></TABLE><P>Again, note that I use \u003e to close all tags.</P> Fri, 03 Dec 2021 07:37:47 GMT yuanliu 2021-12-03T07:37:47Z Field Extraction from complex events https://community.splunk.com/t5/Splunk-Search/Field-Extraction-from-complex-events/m-p/576977#M201084 <P class="lia-align-left">Hello,</P><P class="lia-align-left">I have some issues extracting fields from the following raw event. I should be getting following fileds from this event. Any help will be highly appreciated. Thank you!</P><P class="lia-align-left"><STRONG>Field Names:</STRONG></P><P class="lia-align-left"><SPAN>TIMESTAMP, USERTYPE, USERID, SYSTEM, EVENTTYPE, EVENTID, SRCADDR, SESSIONID, TAXPERIOD, RETURNCODE, TAXFILERTIN, VARDATA</SPAN></P><P class="lia-align-left"><STRONG>Sample Event:</STRONG></P><TABLE width="64"><TBODY><TR><TD width="64">{"log":"\u001b[0m\u001b[0m05:14:09,516 INFO&nbsp; [stdout] (default task-4193) 2021-12-02 05:14:09,516 INFO&nbsp; [tltest.logging.TltestEventWriter] \u003cMODTRANSAUDTRL\u003e\u003cEVENTID\u003e1210VIEW\u003c/EVENTID\u003e\u003cEVENTTYPE\u003eDATA_INTERACTION\u003c/EVENTTYPE\u003e\u003cSRCADDR\u003e192.131.8.1\u003c/SRCADDR\u003e\u003cRETURNCODE\u003e00\u003c/RETURNCODE\u003e\u003cSESSIONID\u003etfYU4-AEPnEzZg\u003c/SESSIONID\u003e\u003cSYSTEM\u003eTLCATS\u003c/SYSTEM\u003e\u003cTIMESTAMP\u003e20211202051409\u003c/TIMESTAMP\u003e\u003cUSERID\u003eAX3BLNB\u003c/USERID\u003e\u003cUSERTYPE\u003eAdmin\u003c/USERTYPE\u003e\u003cVARDATA\u003eCASE NUMBER, CASE NAME;052014011348000,BANTAM LLC\u003c/VARDATA\u003e\u003c/MODTRANSAUDTRL\u003e\n","stream":"stdout","time":"2021-12-02T05:14:09.517228451Z"}</TD></TR></TBODY></TABLE> Thu, 02 Dec 2021 05:52:24 GMT https://community.splunk.com/t5/Splunk-Search/Field-Extraction-from-complex-events/m-p/576977#M201084 SplunkDash 2021-12-02T05:52:24Z Re: Field Extraction from complex events https://community.splunk.com/t5/Splunk-Search/Field-Extraction-from-complex-events/m-p/576985#M201086 <P>I can see that your raw event is a valid JSON object; the "log" field in that object contains a valid XML element. &nbsp;Here is a strategy using spath command:</P><P>&nbsp;</P><LI-CODE lang="markup">| makeresults | eval _raw = "{\"log\":\"\u001b[0m\u001b[0m05:14:09,516 INFO [stdout] (default task-4193) 2021-12-02 05:14:09,516 INFO [tltest.logging.TltestEventWriter] \u003cMODTRANSAUDTRL\u003e\u003cEVENTID\u003e1210VIEW\u003c/EVENTID\u003e\u003cEVENTTYPE\u003eDATA_INTERACTION\u003c/EVENTTYPE\u003e\u003cSRCADDR\u003e192.131.8.1\u003c/SRCADDR\u003e\u003cRETURNCODE\u003e00\u003c/RETURNCODE\u003e\u003cSESSIONID\u003etfYU4-AEPnEzZg\u003c/SESSIONID\u003e\u003cSYSTEM\u003eTLCATS\u003c/SYSTEM\u003e\u003cTIMESTAMP\u003e20211202051409\u003c/TIMESTAMP\u003e\u003cUSERID\u003eAX3BLNB\u003c/USERID\u003e\u003cUSERTYPE\u003eAdmin\u003c/USERTYPE\u003e\u003cVARDATA\u003eCASE NUMBER, CASE NAME;052014011348000,BANTAM LLC\u003c/VARDATA\u003e\u003c/MODTRANSAUDTRL\u003e\n\",\"stream\":\"stdout\",\"time\":\"2021-12-02T05:14:09.517228451Z\"}" ``` first, extract log from JSON ``` | spath | fields - _raw ``` this is just to clear table view, immaterial ``` ``` next, extract XML from log ``` | rex field=log mode=sed "s/.*tltest.logging.TltestEventWriter.\s//" ``` third, extract XML fields ``` | spath input=log</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><TABLE><TBODY><TR><TD>MODTRANSAUDTRL.EVENTID</TD><TD>MODTRANSAUDTRL.EVENTTYPE</TD><TD>MODTRANSAUDTRL.RETURNCODE</TD><TD>MODTRANSAUDTRL.SESSIONID</TD><TD>MODTRANSAUDTRL.SRCADDR</TD><TD>MODTRANSAUDTRL.SYSTEM</TD><TD>MODTRANSAUDTRL.TIMESTAMP</TD><TD>MODTRANSAUDTRL.USERID</TD><TD>MODTRANSAUDTRL.USERTYPE</TD><TD>MODTRANSAUDTRL.VARDATA</TD><TD>log</TD><TD>stream</TD><TD>time&lt;</TD></TR><TR><TD>1210VIEW</TD><TD>DATA_INTERACTION</TD><TD>00</TD><TD>tfYU4-AEPnEzZg</TD><TD>192.131.8.1</TD><TD>TLCATS</TD><TD>20211202051409</TD><TD>AX3BLNB</TD><TD>Admin</TD><TD>CASE NUMBER, CASE NAME;052014011348000,BANTAM LLC</TD><TD>&lt;MODTRANSAUDTRL&gt;&lt;EVENTID&gt;1210VIEW&lt;/EVENTID&gt;&lt;EVENTTYPE&gt;DATA_INTERACTION&lt;/EVENTTYPE&gt;&lt;SRCADDR&gt;192.131.8.1&lt;/SRCADDR&gt;&lt;RETURNCODE&gt;00&lt;/RETURNCODE&gt;&lt;SESSIONID&gt;tfYU4-AEPnEzZg&lt;/SESSIONID&gt;&lt;SYSTEM&gt;TLCATS&lt;/SYSTEM&gt;&lt;TIMESTAMP&gt;20211202051409&lt;/TIMESTAMP&gt;&lt;USERID&gt;AX3BLNB&lt;/USERID&gt;&lt;USERTYPE&gt;Admin&lt;/USERTYPE&gt;&lt;VARDATA&gt;CASE NUMBER, CASE NAME;052014011348000,BANTAM LLC&lt;/VARDATA&gt;&lt;/MODTRANSAUDTRL&gt;</TD><TD>stdout</TD><TD>2021-12-02T05:14:09.517228451Z</TD></TR></TBODY></TABLE> Thu, 02 Dec 2021 07:24:05 GMT https://community.splunk.com/t5/Splunk-Search/Field-Extraction-from-complex-events/m-p/576985#M201086 yuanliu 2021-12-02T07:24:05Z Re: Field Extraction from complex events https://community.splunk.com/t5/Splunk-Search/Field-Extraction-from-complex-events/m-p/577018#M201100 <P>Hello,</P><P>Thank you so much for sending me this field extraction code, truly appreciate it. But how I would implement this code here (please see screenshot below)?&nbsp; Any help will be highly appreciated, thank you again.</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="malekmo_0-1638440552060.jpeg" style="width: 778px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/17088i7DEA46EEF8BACC39/image-dimensions/778x349?v=v2" width="778" height="349" role="button" title="malekmo_0-1638440552060.jpeg" alt="malekmo_0-1638440552060.jpeg" /></span></P><P>&nbsp;</P> Thu, 02 Dec 2021 10:24:32 GMT https://community.splunk.com/t5/Splunk-Search/Field-Extraction-from-complex-events/m-p/577018#M201100 SplunkDash 2021-12-02T10:24:32Z Re: Field Extraction from complex events https://community.splunk.com/t5/Splunk-Search/Field-Extraction-from-complex-events/m-p/577115#M201125 <P>The built-in Field Extraction may not be the best approach to your problem. &nbsp;I'll leave possible ways to do that to later. &nbsp;Let me first propose using macro. &nbsp;Like Field Extraction, using macro also allows code reuse and improves maintainability.</P><P>Go to "Settings -&gt; Advanced search -&gt; Search macros -&gt; New Search macro", put all what you tested into Definition. &nbsp;After you save it, say as "my-macro", you can invoke it in any place by inserting&nbsp;</P><LI-CODE lang="markup">`my-macro`</LI-CODE><P>Do some experiment with it. (You can parameterize a macro with arguments. &nbsp;But if you are new to macros, don't worry about that at the beginning.)</P><P>Now, to possible use of built-in Field Extraction. &nbsp;This is undesirable for several reasons. &nbsp;First, your actual data have well-known structures. &nbsp;It is advantageous to use SPL's builtin spath command to deal with them. &nbsp; Second, your data contains escaped non-ASCII Unicode, which makes use of regex messy, whereas builtin SPL functions take care of them painlessly. (Once multi-byte Unicode is "flattened" into escape code, it is not easy to turn them back explicitly in SPL.)</P><P>Still, I want to give one example using rex. &nbsp;The example is for EVENTID:</P><LI-CODE lang="markup">\\\u003cEVENTID\\\u003e(?&lt;EVENTID&gt;[^\\\]+)</LI-CODE><P>Note this example is constructed to merely be able to extract that &nbsp;value from the exact sample data you posted. &nbsp;It may not work for all your data.</P> Thu, 02 Dec 2021 18:15:38 GMT https://community.splunk.com/t5/Splunk-Search/Field-Extraction-from-complex-events/m-p/577115#M201125 yuanliu 2021-12-02T18:15:38Z Re: Field Extraction from complex events https://community.splunk.com/t5/Splunk-Search/Field-Extraction-from-complex-events/m-p/577168#M201142 <P>Hello,</P><P>Thank you so much and I also thought about micro. but client doesn't like to go that way. Good thing is that your&nbsp;\\u003cEVENTID\\u003e(?&lt;EVENTID&gt;[^\\]+) is working as expected. Only problem with that when I have any missing values or fields in the events, see the following 2 sample events, Event 1 doesn't have the TRANSACTIONCODE field, but Event 2 does. These types of missing fields/field values coursing issues doing field extraction using&nbsp;&nbsp;<STRONG>\\u003cEVENTID\\u003e(?&lt;EVENTID&gt;[^\\]+)</STRONG>&nbsp;. Would it be possible to address this issue? Thank you so much again, appreciate your support in these efforts.&nbsp;</P><P><STRONG>Complete codes (working as expected for Event 1 but not working for Event 2 due to&nbsp;TRANSACTIONCODE field )</STRONG></P><P>\\u003cEVENTID\\u003e(?&lt;EVENTID&gt;[^\\]+)\\u003c\/EVENTID\\u003e\\u003cEVENTTYPE\\u003e(?&lt;EVENTYPE&gt;[^\\]+)\\u003c\/EVENTTYPE\\u003e\\u003cSRCADDR\\u003e(?&lt;SRCADDR&gt;[^\\]+)\\u003c\/SRCADDR\\u003e\\u003cRETURNCODE\\u003e(?&lt;RETURNCODE&gt;[^\\]+)\\u003c\/RETURNCODE\\u003e\\u003cSESSIONID\\u003e(?&lt;SESSIONID&gt;[^\\]+)\\u003c\/SESSIONID\\u003e\\u003cSYSTEM\\u003e(?&lt;SYSTEM&gt;[^\\]+)\\u003c\/SYSTEM\\u003e\\u003cTIMESTAMP\\u003e(?&lt;TIMESTAMP&gt;[^\\]+)\\u003c\/TIMESTAMP\\u003e\\u003cUSERID\\u003e(?&lt;USERID&gt;[^\\]+)\\u003c\/USERID\\u003e\\u003cUSERTYPE\\u003e(?&lt;USERTYPE&gt;[^\\]+)\\u003c\/USERTYPE\\u003e\\u003cVARDATA\\u003e(?&lt;VARDATA&gt;[^\\]+)</P><P>&nbsp;</P><P><STRONG>Event 1</STRONG></P><P><SPAN>{"log":"\u001b[0m\u001b[0m05:14:09,516 INFO&nbsp; [stdout] (default task-4193) 2021-12-02 05:14:09,516 INFO&nbsp; [tltest.logging.TltestEventWriter] \u003cMODTRANSAUDTRL\u003e\u003cEVENTID\u003e1210VIEW\u003c/EVENTID\u003e\u003cEVENTTYPE\u003eDATA_INTERACTION\u003c/EVENTTYPE\u003e\u003cSRCADDR\u003e192.131.8.1\u003c/SRCADDR\u003e\u003cRETURNCODE\u003e00\u003c/RETURNCODE\u003e\u003cSESSIONID\u003etfYU4-AEPnEzZg\u003c/SESSIONID\u003e\u003cSYSTEM\u003eTLCATS\u003c/SYSTEM\u003e\u003cTIMESTAMP\u003e20211202051409\u003c/TIMESTAMP\u003e\u003cUSERID\u003eAX3BLNB\u003c/USERID\u003e\u003cUSERTYPE\u003eAdmin\u003c/USERTYPE\u003e\u003cVARDATA\u003eCASE NUMBER, CASE NAME;052014011348000,BANTAM LLC\u003c/VARDATA\u003e\u003c/MODTRANSAUDTRL\u003e\n","stream":"stdout","time":"2021-12-02T05:14:09.517228451Z"}</SPAN></P><P><STRONG>Event 2</STRONG></P><P>{"log":"\u001b[0m\u001b[0m05:14:09,516 INFO&nbsp; [stdout] (default task-4193) 2021-12-02 06:14:09,516 INFO&nbsp; [tltest.logging.TltestEventWriter] \u003cMODTRANSAUDTRL\u003e\u003cEVENTID\u003e1210VIEW\u003c/EVENTID\u003e\u003cEVENTTYPE\u003eDATA_INTERACTION\u003c/EVENTTYPE\u003e\u003cSRCADDR\u003e192.131.8.1\u003c/SRCADDR\u003e\u003c<STRONG>TRANSACTIONCODE</STRONG>\u003e192.131.8.1\u003c/<STRONG>TRANSACTIONCODE</STRONG>\003xy\u003cRETURNCODE\u003e00\u003c/RETURNCODE\u003e\u003cSESSIONID\u003etfYU4-AEPnEzZg\u003c/SESSIONID\u003e\u003cSYSTEM\u003eTLCATS\u003c/SYSTEM\u003e\u003cTIMESTAMP\u003e20211202051409\u003c/TIMESTAMP\u003e\u003cUSERID\u003eAX3BLNB\u003c/USERID\u003e\u003cUSERTYPE\u003eAdmin\u003c/USERTYPE\u003e\u003cVARDATA\u003eCASE NUMBER, CASE NAME;052014011348000,BANTAM LLC\u003c/VARDATA\u003e\u003c/MODTRANSAUDTRL\u003e\n","stream":"stdout","time":"2021-12-02T05:14:09.517228451Z"}</P> Fri, 03 Dec 2021 02:50:37 GMT https://community.splunk.com/t5/Splunk-Search/Field-Extraction-from-complex-events/m-p/577168#M201142 SplunkDash 2021-12-03T02:50:37Z Re: Field Extraction from complex events https://community.splunk.com/t5/Splunk-Search/Field-Extraction-from-complex-events/m-p/577180#M201144 <BLOCKQUOTE><HR />Event 1 doesn't have the TRANSACTIONCODE field, but Event 2 does. These types of missing fields/field values coursing issues doing field extraction<HR /></BLOCKQUOTE><P>As noted in my previous message, ad hoc rex often suffer from inflexibility. &nbsp;This is one big reason to leverage builtin functions that complies with structured data types. &nbsp;I hope that the client will double your pay the next time they have some data that don't fit the existing code.</P><P>Yes, you can work around these conditions by crafting PCRE more carefully. &nbsp; For example, if the order of &nbsp;fields in the XML is absolutely certain, i.e., TRANSACTIONCODE always appear in between SRCADDR and RETURNCODE, you can use&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">(\\\u003cTRANSACTIONCODE\\\u003e(?&lt;TRANSACTIONCODE&gt;[^\\\]+)\\\u003c/TRANSACTIONCODE\\\u003e){0,1}</LI-CODE><P>&nbsp;</P><P>to signify that &lt;TRANSACTIONCODE&gt;***&lt;/TRANSACTIONCODE&gt; may appear 0 times or 1 time in between those two fields. NOTE here I surmise that you made a typo in the second sample event by closing TRANSACTIONCODE tag with&nbsp;<SPAN><EM>\003xy</EM> instead of expected <U>\u003e</U>&nbsp;(&gt;).</SPAN></P><P><SPAN>However, XML does not require fields to appear in any given order. &nbsp;So, there is no guarantee. &nbsp;If you must use rex, most people would do multiple extractions, one for each tag. &nbsp;This is also a better way to avoid the problem caused by fields appearing in some events but not others. &nbsp;For example, use</SPAN></P><P>&nbsp;</P><LI-CODE lang="markup">\\\u003cEVENTID\\\u003e(?&lt;EVENTID&gt;[^\\\]+)</LI-CODE><P>&nbsp;</P><P>to extract EVENTID, then use</P><P>&nbsp;</P><LI-CODE lang="markup">\\\u003cEVENTTYPE\\\u003e(?&lt;EVENTTYPE&gt;[^\\\]+)</LI-CODE><P>&nbsp;</P><P>to extract EVENTTYPE, and so on. &nbsp;No need to use (expr){0,1} because if the simple expression doesn't match, that field simply will not be extracted. (Even these singular field extractions may not work in all conditions. &nbsp; For one, there is no requirement for XML tags to have brackets immediately bound field name. &nbsp;For example, there can be any number of elements, blanks, line breaks, optional declarations, etc., between EVENTID and "&lt;" or "&gt;".)</P><P>This said, if you want to use fixed order, here is a construct that can extract both sample events.</P><P>&nbsp;</P><LI-CODE lang="markup">| makeresults count=2 | streamstats count | eval _raw = if(count==1,"{\"log\":\"\u001b[0m\u001b[0m05:14:09,516 INFO [stdout] (default task-4193) 2021-12-02 05:14:09,516 INFO [tltest.logging.TltestEventWriter] \u003cMODTRANSAUDTRL\u003e\u003cEVENTID\u003e1210VIEW\u003c/EVENTID\u003e\u003cEVENTTYPE\u003eDATA_INTERACTION\u003c/EVENTTYPE\u003e\u003cSRCADDR\u003e192.131.8.1\u003c/SRCADDR\u003e\u003cRETURNCODE\u003e00\u003c/RETURNCODE\u003e\u003cSESSIONID\u003etfYU4-AEPnEzZg\u003c/SESSIONID\u003e\u003cSYSTEM\u003eTLCATS\u003c/SYSTEM\u003e\u003cTIMESTAMP\u003e20211202051409\u003c/TIMESTAMP\u003e\u003cUSERID\u003eAX3BLNB\u003c/USERID\u003e\u003cUSERTYPE\u003eAdmin\u003c/USERTYPE\u003e\u003cVARDATA\u003eCASE NUMBER, CASE NAME;052014011348000,BANTAM LLC\u003c/VARDATA\u003e\u003c/MODTRANSAUDTRL\u003e\n\",\"stream\":\"stdout\",\"time\":\"2021-12-02T05:14:09.517228451Z\"}", "{\"log\":\"\u001b[0m\u001b[0m05:14:09,516 INFO [stdout] (default task-4193) 2021-12-02 06:14:09,516 INFO [tltest.logging.TltestEventWriter] \u003cMODTRANSAUDTRL\u003e\u003cEVENTID\u003e1210VIEW\u003c/EVENTID\u003e\u003cEVENTTYPE\u003eDATA_INTERACTION\u003c/EVENTTYPE\u003e\u003cSRCADDR\u003e192.131.8.1\u003c/SRCADDR\u003e\u003cTRANSACTIONCODE\u003e192.131.8.1\u003c/TRANSACTIONCODE\u003e\u003cRETURNCODE\u003e00\u003c/RETURNCODE\u003e\u003cSESSIONID\u003etfYU4-AEPnEzZg\u003c/SESSIONID\u003e\u003cSYSTEM\u003eTLCATS\u003c/SYSTEM\u003e\u003cTIMESTAMP\u003e20211202051409\u003c/TIMESTAMP\u003e\u003cUSERID\u003eAX3BLNB\u003c/USERID\u003e\u003cUSERTYPE\u003eAdmin\u003c/USERTYPE\u003e\u003cVARDATA\u003eCASE NUMBER, CASE NAME;052014011348000,BANTAM LLC\u003c/VARDATA\u003e\u003c/MODTRANSAUDTRL\u003e\n\",\"stream\":\"stdout\",\"time\":\"2021-12-02T05:14:09.517228451Z\"}") | rex "\\\u003cEVENTID\\\u003e(?&lt;EVENTID&gt;[^\\\]+)\\\u003c/EVENTID\\\u003e\\\u003cEVENTTYPE\\\u003e(?&lt;EVENTTYPE&gt;[^\\\]+)\\\u003c/EVENTTYPE\\\u003e\\\u003cSRCADDR\\\u003e(?&lt;SRCADDR&gt;[^\\\]+)\\\u003c/SRCADDR\\\u003e(\\\u003cTRANSACTIONCODE\\\u003e(?&lt;TRANSACTIONCODE&gt;[^\\\]+)\\\u003c/TRANSACTIONCODE\\\u003e){0,1}\\\u003cRETURNCODE\\\u003e(?&lt;RETURNCODE&gt;[^\\\]+)\\\u003c/RETURNCODE\\\u003e\\\u003cSESSIONID\\\u003e(?&lt;SESSIONID&gt;[^\\\]+)\\\u003c/SESSIONID\\\u003e\\\u003cSYSTEM\\\u003e(?&lt;SYSTEM&gt;[^\\\]+)\\\u003c/SYSTEM\\\u003e\\\u003cTIMESTAMP\\\u003e(?&lt;TIMESTAMP&gt;[^\\\]+)\\\u003c/TIMESTAMP\\\u003e\\\u003cUSERID\\\u003e(?&lt;USERID&gt;[^\\\]+)\\\u003c/USERID\\\u003e\\\u003cUSERTYPE\\\u003e(?&lt;USERTYPE&gt;[^\\\]+)\\\u003c/USERTYPE\\\u003e\\\u003cVARDATA\\\u003e(?&lt;VARDATA&gt;[^\\\]+)"</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><TABLE><TBODY><TR><TD>EVENTID</TD><TD>EVENTTYPE</TD><TD>RETURNCODE</TD><TD>SESSIONID</TD><TD>SRCADDR</TD><TD>SYSTEM</TD><TD>TIMESTAMP</TD><TD>TRANSACTIONCODE</TD><TD>USERID</TD><TD>USERTYPE</TD><TD>VARDATA</TD><TD>_raw</TD><TD>_time</TD><TD>count</TD></TR><TR><TD>1210VIEW</TD><TD>DATA_INTERACTION</TD><TD>00</TD><TD>tfYU4-AEPnEzZg</TD><TD>192.131.8.1</TD><TD>TLCATS</TD><TD>20211202051409</TD><TD>&nbsp;</TD><TD>AX3BLNB</TD><TD>Admin</TD><TD>CASE NUMBER, CASE NAME;052014011348000,BANTAM LLC</TD><TD>{"log":"\u001b[0m\u001b[0m05:14:09,516 INFO [stdout] (default task-4193) 2021-12-02 05:14:09,516 INFO [tltest.logging.TltestEventWriter] \u003cMODTRANSAUDTRL\u003e\u003cEVENTID\u003e1210VIEW\u003c/EVENTID\u003e\u003cEVENTTYPE\u003eDATA_INTERACTION\u003c/EVENTTYPE\u003e\u003cSRCADDR\u003e192.131.8.1\u003c/SRCADDR\u003e\u003cRETURNCODE\u003e00\u003c/RETURNCODE\u003e\u003cSESSIONID\u003etfYU4-AEPnEzZg\u003c/SESSIONID\u003e\u003cSYSTEM\u003eTLCATS\u003c/SYSTEM\u003e\u003cTIMESTAMP\u003e20211202051409\u003c/TIMESTAMP\u003e\u003cUSERID\u003eAX3BLNB\u003c/USERID\u003e\u003cUSERTYPE\u003eAdmin\u003c/USERTYPE\u003e\u003cVARDATA\u003eCASE NUMBER, CASE NAME;052014011348000,BANTAM LLC\u003c/VARDATA\u003e\u003c/MODTRANSAUDTRL\u003e\n","stream":"stdout","time":"2021-12-02T05:14:09.517228451Z"}</TD><TD>2021-12-02 23:20:29</TD><TD>1</TD></TR><TR><TD>1210VIEW</TD><TD>DATA_INTERACTION</TD><TD>00</TD><TD>tfYU4-AEPnEzZg</TD><TD>192.131.8.1</TD><TD>TLCATS</TD><TD>20211202051409</TD><TD>192.131.8.1</TD><TD>AX3BLNB</TD><TD>Admin</TD><TD>CASE NUMBER, CASE NAME;052014011348000,BANTAM LLC</TD><TD>{"log":"\u001b[0m\u001b[0m05:14:09,516 INFO [stdout] (default task-4193) 2021-12-02 06:14:09,516 INFO [tltest.logging.TltestEventWriter] \u003cMODTRANSAUDTRL\u003e\u003cEVENTID\u003e1210VIEW\u003c/EVENTID\u003e\u003cEVENTTYPE\u003eDATA_INTERACTION\u003c/EVENTTYPE\u003e\u003cSRCADDR\u003e192.131.8.1\u003c/SRCADDR\u003e\u003cTRANSACTIONCODE\u003e192.131.8.1\u003c/TRANSACTIONCODE\u003e\u003cRETURNCODE\u003e00\u003c/RETURNCODE\u003e\u003cSESSIONID\u003etfYU4-AEPnEzZg\u003c/SESSIONID\u003e\u003cSYSTEM\u003eTLCATS\u003c/SYSTEM\u003e\u003cTIMESTAMP\u003e20211202051409\u003c/TIMESTAMP\u003e\u003cUSERID\u003eAX3BLNB\u003c/USERID\u003e\u003cUSERTYPE\u003eAdmin\u003c/USERTYPE\u003e\u003cVARDATA\u003eCASE NUMBER, CASE NAME;052014011348000,BANTAM LLC\u003c/VARDATA\u003e\u003c/MODTRANSAUDTRL\u003e\n","stream":"stdout","time":"2021-12-02T05:14:09.517228451Z"}</TD><TD>2021-12-02 23:20:29</TD><TD>2</TD></TR></TBODY></TABLE><P>Again, note that I use \u003e to close all tags.</P> Fri, 03 Dec 2021 07:37:47 GMT https://community.splunk.com/t5/Splunk-Search/Field-Extraction-from-complex-events/m-p/577180#M201144 yuanliu 2021-12-03T07:37:47Z