https://community.splunk.com/t5/Splunk-Search/How-to-split-the-result-of-max-match/m-p/609719#M212007 <P>That's great! It works for my case.</P> Tue, 16 Aug 2022 22:45:34 GMT haiweichen 2022-08-16T22:45:34Z https://community.splunk.com/t5/Splunk-Search/How-to-split-the-result-of-max-match/m-p/609625#M211979 <P>The values I need are located in the field "msg". Each msg contains 3 records. I run this query and get the result as below,</P> <P>&nbsp;</P> <LI-CODE lang="markup">index=summary | search msg="*blablabla*" | rex max_match=3 "Type=(?&lt;Type&gt;.+?)\," | rex max_match=3 "Restaurant=(?&lt;Restaurant&gt;.+?)\," | rex max_match=3 "Date=(?&lt;Date&gt;.+?)\," | rex max_match=3 "status=(?&lt;status&gt;.+?)\," | table Date, Restaurant, Type, status</LI-CODE> <P>&nbsp;</P> <P>Date Restaurant Type Status</P> <TABLE width="759px"> <TBODY> <TR> <TD width="228.635px" height="91px"> <DIV class="">2021-03-10</DIV> <DIV class="">2022-01-04</DIV> <DIV class="">2021-05-01</DIV> </TD> <TD width="387.448px" height="91px"> <DIV class="">Domino</DIV> <DIV class="">SOUTHERN RESTAURANTS TRUST</DIV> <DIV class="">MCDONALD'S</DIV> </TD> <TD width="82.9062px" height="91px"> <DIV class="">A</DIV> <DIV class="">B</DIV> <DIV class="">A</DIV> </TD> <TD width="59.0104px" height="91px"> <DIV class="">NEW</DIV> <DIV class="">USED</DIV> <DIV class="">USED</DIV> </TD> </TR> <TR> <TD width="228.635px" height="69px"> <DIV class="">2021-03-11</DIV> <DIV class="">2021-03-12</DIV> <DIV class="">2022-02-05</DIV> </TD> <TD width="387.448px" height="69px"> <DIV class="">KFC</DIV> <DIV class="">Domino</DIV> <DIV class="">MCDONALD'S</DIV> </TD> <TD width="82.9062px" height="69px"> <DIV class="">C</DIV> <DIV class="">B</DIV> <DIV class="">A</DIV> </TD> <TD width="59.0104px" height="69px"> <DIV class="">NEW</DIV> <DIV class="">NEW</DIV> <DIV class="">USED</DIV> </TD> </TR> <TR> <TD width="228.635px" height="69px"> <DIV class="">2021-03-11</DIV> <DIV class="">2021-12-20</DIV> <DIV class="">2021-05-09</DIV> </TD> <TD width="387.448px" height="69px"> <DIV class="">Rooster</DIV> <DIV class="">CYREN BAR</DIV> <DIV class="">MCDONALD'S</DIV> </TD> <TD width="82.9062px" height="69px"> <DIV class="">A</DIV> <DIV class="">A</DIV> <DIV class="">B</DIV> </TD> <TD width="59.0104px" height="69px"> <DIV class="">NEW</DIV> <DIV class="">USED</DIV> <DIV class="">USED</DIV> </TD> </TR> <TR> <TD width="228.635px" height="69px"> <DIV class="">2021-03-12</DIV> <DIV class="">2021-12-18</DIV> <DIV class="">2021-06-22</DIV> </TD> <TD width="387.448px" height="69px"> <DIV class="">Helo</DIV> <DIV class="">KFC</DIV> <DIV class="">MCDONALD'S</DIV> </TD> <TD width="82.9062px" height="69px"> <DIV class="">A</DIV> <DIV class="">A</DIV> <DIV class="">B</DIV> </TD> <TD width="59.0104px" height="69px"> <DIV class="">NEW</DIV> <DIV class="">USED</DIV> <DIV class="">USED</DIV> </TD> </TR> <TR> <TD width="228.635px" height="69px"> <DIV class="">2021-03-12</DIV> <DIV class="">2022-01-05</DIV> <DIV class="">2022-01-14</DIV> </TD> <TD width="387.448px" height="69px"> <DIV class="">KFC</DIV> <DIV class="">MCDONALD'S</DIV> <DIV class="">MCDONALD'S</DIV> </TD> <TD width="82.9062px" height="69px"> <DIV class=""> <DIV class="">A</DIV> <DIV class="">A</DIV> <DIV class="">B</DIV> </DIV> </TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <P>The question is, how can I make each record separated? I would like to use query "where restaurant=KFC" to look for specific restaurant.</P> <P>&nbsp;</P> Tue, 16 Aug 2022 23:28:31 GMT https://community.splunk.com/t5/Splunk-Search/How-to-split-the-result-of-max-match/m-p/609625#M211979 haiweichen 2022-08-16T23:28:31Z https://community.splunk.com/t5/Splunk-Search/How-to-split-the-result-of-max-match/m-p/609629#M211982 <LI-CODE lang="markup">index=summary | search msg="*blablabla*" | rex max_match=3 "Type=(?&lt;Type&gt;.+?)\," | rex max_match=3 "Restaurant=(?&lt;Restaurant&gt;.+?)\," | rex max_match=3 "Date=(?&lt;Date&gt;.+?)\," | rex max_match=3 "status=(?&lt;status&gt;.+?)\," | eval row=mvzip(mvzip(Date,Restaurant,"|"),mvzip(Type,status,"|"),"|") | mvexpand row | eval Date=mvindex(split(row,"|"),0) | eval Restaurant=mvindex(split(row,"|"),1) | eval Type=mvindex(split(row,"|"),2) | eval status=mvindex(split(row,"|"),3) | table Date, Restaurant, Type, status</LI-CODE> Tue, 16 Aug 2022 10:32:03 GMT https://community.splunk.com/t5/Splunk-Search/How-to-split-the-result-of-max-match/m-p/609629#M211982 ITWhisperer 2022-08-16T10:32:03Z https://community.splunk.com/t5/Splunk-Search/How-to-split-the-result-of-max-match/m-p/609719#M212007 <P>That's great! It works for my case.</P> Tue, 16 Aug 2022 22:45:34 GMT https://community.splunk.com/t5/Splunk-Search/How-to-split-the-result-of-max-match/m-p/609719#M212007 haiweichen 2022-08-16T22:45:34Z