https://community.splunk.com/t5/Splunk-Search/How-to-get-fields-extracted-by-two-fields/m-p/588814#M205056 <P>Much appreciated mate for your help!. It worked for me.</P> Fri, 11 Mar 2022 20:21:48 GMT kc_prane 2022-03-11T20:21:48Z https://community.splunk.com/t5/Splunk-Search/How-to-get-fields-extracted-by-two-fields/m-p/588772#M205043 <P><SPAN class="">&nbsp;i need&nbsp; the fields&nbsp; extracted&nbsp; by two fields&nbsp;</SPAN></P> <P><SPAN class="">1) Detail message&nbsp; = before the comma ( I need the full description)</SPAN></P> <P><SPAN class="">2) Count =&nbsp; after the comma ( I need the digit count)</SPAN></P> <P><SPAN class="">RAW Log starts from below :</SPAN></P> <LI-CODE lang="markup">DETAIL MESSAGE, COUNT Index 0 out of bounds for length 0, 61 No Recipienet found in MDM based on the input parameters, 120 No record found with this document Id, 86 No Records Found with given search Criteria in DB, 52 query did not return a unique result: 2; nested exception is javax.persistence.NonUniqueResultException: query did not return a unique result: 2, 106</LI-CODE> <P><SPAN class="">You</SPAN> <SPAN class="">do</SPAN> <SPAN class="">not</SPAN> <SPAN class="">currently</SPAN> <SPAN class="">manage</SPAN> <SPAN class="">any</SPAN> <SPAN class="">user</SPAN> <SPAN class="">roles</SPAN> <SPAN class="">in</SPAN> <SPAN class="">PERLSS</SPAN> <SPAN class="">there</SPAN> <SPAN class="">is</SPAN> <SPAN class="">no</SPAN> <SPAN class="">task</SPAN> <SPAN class="">data</SPAN> <SPAN class="">to</SPAN> <SPAN class="">display</SPAN> <SPAN class="">at</SPAN> <SPAN class="">this</SPAN> <SPAN class="">time</SPAN><SPAN>, </SPAN><SPAN class="">96</SPAN></P> Sat, 12 Mar 2022 05:49:31 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-fields-extracted-by-two-fields/m-p/588772#M205043 kc_prane 2022-03-12T05:49:31Z https://community.splunk.com/t5/Splunk-Search/How-to-get-fields-extracted-by-two-fields/m-p/588783#M205046 <P>This should get you started</P><LI-CODE lang="markup">| rex "(?&lt;detailMessage&gt;[^,]+), (?&lt;count&gt;\d+)"</LI-CODE> Fri, 11 Mar 2022 17:57:55 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-fields-extracted-by-two-fields/m-p/588783#M205046 richgalloway 2022-03-11T17:57:55Z https://community.splunk.com/t5/Splunk-Search/How-to-get-fields-extracted-by-two-fields/m-p/588792#M205048 <P>Thanks, @<SPAN>richgalloway. But here I am only getting the first line for the fields extracted&nbsp; in the log</SPAN></P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="kc_prane_0-1647023504759.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/18463i39C2912A063D38DE/image-size/medium?v=v2&amp;px=400" role="button" title="kc_prane_0-1647023504759.png" alt="kc_prane_0-1647023504759.png" /></span></P> Fri, 11 Mar 2022 18:34:27 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-fields-extracted-by-two-fields/m-p/588792#M205048 kc_prane 2022-03-11T18:34:27Z https://community.splunk.com/t5/Splunk-Search/How-to-get-fields-extracted-by-two-fields/m-p/588804#M205052 <P>You say you only get one line, but the screenshot shows 7 lines.</P><P>Please provide more information, including the query used and the props.conf settings for the sourcetype.</P> Fri, 11 Mar 2022 19:50:39 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-fields-extracted-by-two-fields/m-p/588804#M205052 richgalloway 2022-03-11T19:50:39Z https://community.splunk.com/t5/Splunk-Search/How-to-get-fields-extracted-by-two-fields/m-p/588809#M205053 <P>&nbsp;</P><P>Hi <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/213957">@richgalloway</a>&nbsp; &nbsp;I don't have much details of the props but the below screenshot shows the rex is working only for the first line.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="kc_prane_0-1647028953208.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/18467i1FFBE67669624A55/image-size/medium?v=v2&amp;px=400" role="button" title="kc_prane_0-1647028953208.png" alt="kc_prane_0-1647028953208.png" /></span></P><P>&nbsp;</P> Fri, 11 Mar 2022 20:04:24 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-fields-extracted-by-two-fields/m-p/588809#M205053 kc_prane 2022-03-11T20:04:24Z https://community.splunk.com/t5/Splunk-Search/How-to-get-fields-extracted-by-two-fields/m-p/588813#M205055 <P>It was not clear from the OP that the sample data was a single event rather than multiple events.&nbsp; That means the regular expression matches multiple strings, but the <FONT face="courier new,courier">rex</FONT> command defaults to returning only the first.&nbsp; Use the <FONT face="courier new,courier">max_match</FONT> option to override that.</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">| rex max_match=0 "(?&lt;detailMessage&gt;[^,]+), (?&lt;count&gt;\d+)"</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>This will produce multi-value fields. You'll then need to use mv commands/functions to work with the fields.</P><P>Let us know what results you want and we can try to be more specific.</P> Fri, 11 Mar 2022 20:23:24 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-fields-extracted-by-two-fields/m-p/588813#M205055 richgalloway 2022-03-11T20:23:24Z https://community.splunk.com/t5/Splunk-Search/How-to-get-fields-extracted-by-two-fields/m-p/588814#M205056 <P>Much appreciated mate for your help!. It worked for me.</P> Fri, 11 Mar 2022 20:21:48 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-fields-extracted-by-two-fields/m-p/588814#M205056 kc_prane 2022-03-11T20:21:48Z