https://community.splunk.com/t5/Splunk-Search/REX-How-can-these-two-REX-commands-be-merged/m-p/609605#M211964 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/161352">@gcusello</a>&nbsp;</P><P>As requested.&nbsp;&nbsp;Used this URL/tool...</P><P class="lia-indent-padding-left-30px"><A href="https://regex101.com/r/nE14zp/1" target="_blank">https://regex101.com/r/nE14zp/1</A></P><P>...to check these REX strings...</P><P class="lia-indent-padding-left-30px">^\S+\s(?&lt;microService&gt;\S+).*</P><P class="lia-indent-padding-left-30px">(?i)^(?:[^\+]*\+){2}\d+\]\s+\"(?P&lt;missingFileDetails&gt;[^\"]+)</P><P>...using this test string...</P><P class="lia-indent-padding-left-30px">2022-08-16T04:00:13.231444+00:00 CBF.microService af312b94-8abc-49ed-af80-969a5b0044e4[[APP/PROC/WEB/2]] 139.59.241.107, 100.64.240.3 - - - [16/Aug/2022:04:00:13 +0000] "GET /git/notifyCommit?url=2DQDJjcLvzZRdjs6bf9k0KOtJCs&amp;branches=2DQDJjcLvzZRdjs6bf9k0KOtJCs HTTP/1.1" 404 188</P><P>&nbsp;</P><P>The individual commands work but I am unable to concatenate [to get a table of microservices and missing files].</P><P>&nbsp;</P><P>Any help greatly appreciated</P> Tue, 16 Aug 2022 08:10:51 GMT Mick_OBrien 2022-08-16T08:10:51Z https://community.splunk.com/t5/Splunk-Search/REX-How-can-these-two-REX-commands-be-merged/m-p/609591#M211960 <P>I have two REX strings that work independently...</P> <P class="lia-indent-padding-left-30px">^\S+\s(?&lt;microService&gt;\S+).*</P> <P class="lia-indent-padding-left-30px">[supplied by previous SPLUNK answer]</P> <P>...and...</P> <P class="lia-indent-padding-left-30px">"(?i)^(?:[^\+]*\+){2}\d+\]\s+\"(?P&lt;missingFileDetails&gt;[^\"]+)"</P> <P class="lia-indent-padding-left-30px">[generated via erex]</P> <P>&nbsp;</P> <P>How can these two REX commands be merged?</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Tue, 16 Aug 2022 13:12:41 GMT https://community.splunk.com/t5/Splunk-Search/REX-How-can-these-two-REX-commands-be-merged/m-p/609591#M211960 Mick_OBrien 2022-08-16T13:12:41Z https://community.splunk.com/t5/Splunk-Search/REX-How-can-these-two-REX-commands-be-merged/m-p/609596#M211962 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/236514">@Mick_OBrien</a>,</P><P>to answer to your question, you should share some sample of your logs!</P><P>Ciao.</P><P>Giuseppe</P> Tue, 16 Aug 2022 07:52:25 GMT https://community.splunk.com/t5/Splunk-Search/REX-How-can-these-two-REX-commands-be-merged/m-p/609596#M211962 gcusello 2022-08-16T07:52:25Z https://community.splunk.com/t5/Splunk-Search/REX-How-can-these-two-REX-commands-be-merged/m-p/609605#M211964 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/161352">@gcusello</a>&nbsp;</P><P>As requested.&nbsp;&nbsp;Used this URL/tool...</P><P class="lia-indent-padding-left-30px"><A href="https://regex101.com/r/nE14zp/1" target="_blank">https://regex101.com/r/nE14zp/1</A></P><P>...to check these REX strings...</P><P class="lia-indent-padding-left-30px">^\S+\s(?&lt;microService&gt;\S+).*</P><P class="lia-indent-padding-left-30px">(?i)^(?:[^\+]*\+){2}\d+\]\s+\"(?P&lt;missingFileDetails&gt;[^\"]+)</P><P>...using this test string...</P><P class="lia-indent-padding-left-30px">2022-08-16T04:00:13.231444+00:00 CBF.microService af312b94-8abc-49ed-af80-969a5b0044e4[[APP/PROC/WEB/2]] 139.59.241.107, 100.64.240.3 - - - [16/Aug/2022:04:00:13 +0000] "GET /git/notifyCommit?url=2DQDJjcLvzZRdjs6bf9k0KOtJCs&amp;branches=2DQDJjcLvzZRdjs6bf9k0KOtJCs HTTP/1.1" 404 188</P><P>&nbsp;</P><P>The individual commands work but I am unable to concatenate [to get a table of microservices and missing files].</P><P>&nbsp;</P><P>Any help greatly appreciated</P> Tue, 16 Aug 2022 08:10:51 GMT https://community.splunk.com/t5/Splunk-Search/REX-How-can-these-two-REX-commands-be-merged/m-p/609605#M211964 Mick_OBrien 2022-08-16T08:10:51Z https://community.splunk.com/t5/Splunk-Search/REX-How-can-these-two-REX-commands-be-merged/m-p/609608#M211967 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/236514">@Mick_OBrien</a>,</P><P>as you can see in the regex101 you shared the double regex is working on the sample you used, but maybe there are some differences in other logs and for this reason the double regex doesn't work.</P><P>Anyway, please try this:</P><LI-CODE lang="markup">^\d+-\d+-\d+T\d+:\d+:\d+\.\d+\+\d+:\d+\s+(?&lt;microservice&gt;\w+).*MESSAGE\=(?&lt;message&gt;.+)</LI-CODE><P>Ciao.</P><P>Giuseppe</P> Tue, 16 Aug 2022 08:16:43 GMT https://community.splunk.com/t5/Splunk-Search/REX-How-can-these-two-REX-commands-be-merged/m-p/609608#M211967 gcusello 2022-08-16T08:16:43Z https://community.splunk.com/t5/Splunk-Search/REX-How-can-these-two-REX-commands-be-merged/m-p/609613#M211970 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/161352">@gcusello</a>&nbsp;</P><P>&nbsp;</P><P>Sorry but I cannot get this to work - this rex string returned multiple pages of empty fields...</P><P class="lia-indent-padding-left-30px">rex field=_raw ^\d+-\d+-\d+T\d+:\d+:\d+\.\d+\+\d+:\d+\s+(?&lt;microservice&gt;\w+).*MESSAGE\=(?&lt;message&gt;.+)</P><P>its not picking up the microservice NOR does the test string supplied contain text 'MESSAGE='</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 16 Aug 2022 08:28:18 GMT https://community.splunk.com/t5/Splunk-Search/REX-How-can-these-two-REX-commands-be-merged/m-p/609613#M211970 Mick_OBrien 2022-08-16T08:28:18Z https://community.splunk.com/t5/Splunk-Search/REX-How-can-these-two-REX-commands-be-merged/m-p/609633#M211983 <LI-CODE lang="markup">| rex "^\S+\s(?&lt;microService&gt;\S+).*?\"(?P&lt;missingFileDetails&gt;[^\"]+)\""</LI-CODE> Tue, 16 Aug 2022 11:59:39 GMT https://community.splunk.com/t5/Splunk-Search/REX-How-can-these-two-REX-commands-be-merged/m-p/609633#M211983 ITWhisperer 2022-08-16T11:59:39Z