https://community.splunk.com/t5/Splunk-Search/Extract-Multiple-fields/m-p/589057#M205146 <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="jayeshrajvir_0-1647344653392.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/18505i00873F2B99D74DF2/image-size/medium?v=v2&amp;px=400" role="button" title="jayeshrajvir_0-1647344653392.png" alt="jayeshrajvir_0-1647344653392.png" /></span></P><P>&nbsp;</P><P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/137142">@venky1544</a>&nbsp;It fetches/matching all the four fields. I wanted to match only two fields. Can you please share your thoughts.</P> Tue, 15 Mar 2022 11:45:40 GMT jayeshrajvir 2022-03-15T11:45:40Z https://community.splunk.com/t5/Splunk-Search/Extract-Multiple-fields/m-p/589041#M205137 <P>Sample data</P><P>[A028 : 00]<BR />[F037 : 928323177452]<BR />[F038 : 456137]<BR />[F039 : 0]</P><P>The query below is working but i wanted to merge, basically i wanted to use&nbsp;rex field=_raw just once. How to extract multiple fields</P><P>index=au_axs_common_log sourcetype=anz_axs_auth_core_log "[A028" |rex field=_raw "(\[F039\s*:(?.*?)\])"| rex field=_raw "\[A028\s*:(?.*?)\]" |stats count by axrc,vrc</P> Tue, 15 Mar 2022 09:32:03 GMT https://community.splunk.com/t5/Splunk-Search/Extract-Multiple-fields/m-p/589041#M205137 jayeshrajvir 2022-03-15T09:32:03Z https://community.splunk.com/t5/Splunk-Search/Extract-Multiple-fields/m-p/589045#M205141 <P>hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/243602">@jayeshrajvir</a>&nbsp;</P><P>try this regex&nbsp;\[\w+\s:\s\d+\]</P><P>just curious what are you doing with the regex coz there is no named group in the regex&nbsp; ??</P><P>is this a tweaked query you pasted here&nbsp;</P> Tue, 15 Mar 2022 09:48:35 GMT https://community.splunk.com/t5/Splunk-Search/Extract-Multiple-fields/m-p/589045#M205141 venky1544 2022-03-15T09:48:35Z https://community.splunk.com/t5/Splunk-Search/Extract-Multiple-fields/m-p/589057#M205146 <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="jayeshrajvir_0-1647344653392.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/18505i00873F2B99D74DF2/image-size/medium?v=v2&amp;px=400" role="button" title="jayeshrajvir_0-1647344653392.png" alt="jayeshrajvir_0-1647344653392.png" /></span></P><P>&nbsp;</P><P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/137142">@venky1544</a>&nbsp;It fetches/matching all the four fields. I wanted to match only two fields. Can you please share your thoughts.</P> Tue, 15 Mar 2022 11:45:40 GMT https://community.splunk.com/t5/Splunk-Search/Extract-Multiple-fields/m-p/589057#M205146 jayeshrajvir 2022-03-15T11:45:40Z https://community.splunk.com/t5/Splunk-Search/Extract-Multiple-fields/m-p/589080#M205153 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/243602">@jayeshrajvir</a>&nbsp;</P><P>PFB screenshot hope this helps&nbsp;</P><P>| makeresults |eval new = "[A028 : 00]"<BR />|append [|makeresults |eval new="[F037 : 928323177452]"]<BR />|append [|makeresults |eval new="[F038 : 456137]"]<BR />|append [|makeresults |eval new="[F039 : 0]"]<BR />|rex field=new "(\[A028|\[F038)\s:\s(?&lt;num&gt;\d+)\]"</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="venky1544_0-1647348590034.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/18512i2903912BD1E33BB2/image-size/medium?v=v2&amp;px=400" role="button" title="venky1544_0-1647348590034.png" alt="venky1544_0-1647348590034.png" /></span></P><P>&nbsp;</P> Tue, 15 Mar 2022 12:50:28 GMT https://community.splunk.com/t5/Splunk-Search/Extract-Multiple-fields/m-p/589080#M205153 venky1544 2022-03-15T12:50:28Z