https://community.splunk.com/t5/Splunk-Search/How-to-extract-multiple-values-from-a-single-value-in-a-field/m-p/599497#M208672 <P>Thanks, this helped alot. Do you know how to extract a sentence? For example if the risk type was Type - Monitor User Activity Type - USB I would want a value with: "Type - Monitor User Activity" and "Type - USB". This solution only gives me "Type - Monitor" in this scenario</P> Thu, 26 May 2022 20:05:06 GMT xoamanda12xo 2022-05-26T20:05:06Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-multiple-values-from-a-single-value-in-a-field/m-p/599339#M208645 <P>I have a field called "Risk Type" that has categorical data associated with the type of risk of an event. For example, for one event it might say "Type - Network", but for another event that has more than one risk type it will say "Type - Network Type - USB Type - Data" where the three risk types are in a single value. What I want to do is to extract each type as a separate value, so for event X there would be three entries for each type. Ex: Event X Type - Network</P> <P>Event X Type - USB</P> <P>Event X Type - Data</P> <P>I tried doing mvexpand but this did not separate each type into multiple values. I also thought of using the rex command but I do not know what the regular expression would be to do this. How do I accomplish this?</P> Thu, 26 May 2022 20:11:36 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-multiple-values-from-a-single-value-in-a-field/m-p/599339#M208645 xoamanda12xo 2022-05-26T20:11:36Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-multiple-values-from-a-single-value-in-a-field/m-p/599344#M208647 <P>The <FONT face="courier new,courier">rex</FONT> command will work.&nbsp; Just provide a regex for a single match and include the <FONT face="courier new,courier">max_match=0</FONT> option and rex will return multiple hits.</P><LI-CODE lang="markup">| rex max_match=0 field='Risk Type' "Type - (?&lt;riskType&gt;\w+)"</LI-CODE> Wed, 25 May 2022 19:26:24 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-multiple-values-from-a-single-value-in-a-field/m-p/599344#M208647 richgalloway 2022-05-25T19:26:24Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-multiple-values-from-a-single-value-in-a-field/m-p/599346#M208648 <P>Try the following. Should give you what you're looking for.<BR /><BR /></P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">| rex max_match=0 field=risk_type "(?&lt;risk_type&gt;Type(?:(?!Type)[\s\S])*)" | mvexpand risk_type</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>###If this helps, kindly consider an upvote/accepting as an answer###</P> Fri, 27 May 2022 09:58:16 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-multiple-values-from-a-single-value-in-a-field/m-p/599346#M208648 shivanshu1593 2022-05-27T09:58:16Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-multiple-values-from-a-single-value-in-a-field/m-p/599497#M208672 <P>Thanks, this helped alot. Do you know how to extract a sentence? For example if the risk type was Type - Monitor User Activity Type - USB I would want a value with: "Type - Monitor User Activity" and "Type - USB". This solution only gives me "Type - Monitor" in this scenario</P> Thu, 26 May 2022 20:05:06 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-multiple-values-from-a-single-value-in-a-field/m-p/599497#M208672 xoamanda12xo 2022-05-26T20:05:06Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-multiple-values-from-a-single-value-in-a-field/m-p/599557#M208693 <P>I've updated the regex above. Please try that. Should extract the sentences that you listed as examples. If it needs more modification, kindly share some sample data to create an accurate regex.</P><P>###If it helps, kindly consider mark as accepted answer###</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 27 May 2022 09:57:56 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-multiple-values-from-a-single-value-in-a-field/m-p/599557#M208693 shivanshu1593 2022-05-27T09:57:56Z