https://community.splunk.com/t5/Splunk-Search/Splunk-SPL-How-do-I-use-regex-to-create-an-alert/m-p/616087#M214095 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/70277">@uagraw01</a>,</P><P>you should explore the transpose command (<A href="https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Transpose" target="_blank">https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Transpose</A>) that permits to transpose a list of fields from row to column, something like this:</P><LI-CODE lang="markup">&lt;your_search&gt; | rex field=_raw "Site\|\_\_SYSTEM\__(?&lt;ServiceName&gt;[A-Za-z]+)" | rex field=_raw "Message\s\=\s(?&lt;Error_Message&gt;.+\:\s[A-Za-z0-9]+)" | rex field=_raw "failed:\s(?&lt;OrderNumber&gt;[A-Za-z0-9]+)" | rex field=_raw "httpStatusCode\s\=\s(?&lt;ResponseTime&gt;[0-9]+)" | rex field=_raw "ResponseTime\s\=\s(?&lt;Reason&gt;.+)" | table ServiceName Error_Message OrderNumber ResponseTime Reason | transpose 5 | rename "row 1" AS Value | fields Value</LI-CODE><P>Ciao.</P><P>Giuseppe</P> Thu, 06 Oct 2022 06:33:18 GMT gcusello 2022-10-06T06:33:18Z https://community.splunk.com/t5/Splunk-Search/Splunk-SPL-How-do-I-use-regex-to-create-an-alert/m-p/616084#M214093 <P>Hello Splunker!</P> <P>I created below regex from the raw events. And I want to create an alert which show the event in one cloumn only.</P> <LI-CODE lang="markup">| rex field=_raw "Site\|\_\_SYSTEM\__(?&lt;ServiceName&gt;[A-Za-z]+)" | rex field=_raw "Message\s\=\s(?&lt;Error_Message&gt;.+\:\s[A-Za-z0-9]+)" | rex field=_raw "failed:\s(?&lt;OrderNumber&gt;[A-Za-z0-9]+)" | rex field=_raw "httpStatusCode\s\=\s(?&lt;ResponseTime&gt;[0-9]+)" | rex field=_raw "ResponseTime\s\=\s(?&lt;Reason&gt;.+)"</LI-CODE> <P>By using all the fields i want one liner column result like . Please let me know how to concate and use makemv command. And if any other approach then please guide me.</P> <TABLE width="133"> <TBODY> <TR> <TD width="132px" height="25px">ServiceName</TD> </TR> <TR> <TD width="132px" height="25px">Error_Message</TD> </TR> <TR> <TD width="132px" height="25px">OrderNumber</TD> </TR> <TR> <TD width="132px" height="25px">Reason</TD> </TR> <TR> <TD width="132px" height="25px">ResponseTime</TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> Thu, 06 Oct 2022 13:50:35 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-SPL-How-do-I-use-regex-to-create-an-alert/m-p/616084#M214093 uagraw01 2022-10-06T13:50:35Z https://community.splunk.com/t5/Splunk-Search/Splunk-SPL-How-do-I-use-regex-to-create-an-alert/m-p/616087#M214095 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/70277">@uagraw01</a>,</P><P>you should explore the transpose command (<A href="https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Transpose" target="_blank">https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Transpose</A>) that permits to transpose a list of fields from row to column, something like this:</P><LI-CODE lang="markup">&lt;your_search&gt; | rex field=_raw "Site\|\_\_SYSTEM\__(?&lt;ServiceName&gt;[A-Za-z]+)" | rex field=_raw "Message\s\=\s(?&lt;Error_Message&gt;.+\:\s[A-Za-z0-9]+)" | rex field=_raw "failed:\s(?&lt;OrderNumber&gt;[A-Za-z0-9]+)" | rex field=_raw "httpStatusCode\s\=\s(?&lt;ResponseTime&gt;[0-9]+)" | rex field=_raw "ResponseTime\s\=\s(?&lt;Reason&gt;.+)" | table ServiceName Error_Message OrderNumber ResponseTime Reason | transpose 5 | rename "row 1" AS Value | fields Value</LI-CODE><P>Ciao.</P><P>Giuseppe</P> Thu, 06 Oct 2022 06:33:18 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-SPL-How-do-I-use-regex-to-create-an-alert/m-p/616087#M214095 gcusello 2022-10-06T06:33:18Z https://community.splunk.com/t5/Splunk-Search/Splunk-SPL-How-do-I-use-regex-to-create-an-alert/m-p/616089#M214097 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/161352">@gcusello</a>&nbsp; I need a result output as below:<BR /><BR />ServiceName: Paypal<BR />Error_Message: Declined payment<BR />OrderNumber: GGTHLL<BR />ResponseTime: 500<BR />Reason: User not registered</P> Thu, 06 Oct 2022 06:41:24 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-SPL-How-do-I-use-regex-to-create-an-alert/m-p/616089#M214097 uagraw01 2022-10-06T06:41:24Z https://community.splunk.com/t5/Splunk-Search/Splunk-SPL-How-do-I-use-regex-to-create-an-alert/m-p/616097#M214102 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/70277">@uagraw01</a>,</P><P>I replicated the output you indicated,</P><P>to have both the field name in a column and the value in another column you have to use the same search without the last row:</P><LI-CODE lang="markup">&lt;your_search&gt; | rex field=_raw "Site\|\_\_SYSTEM\__(?&lt;ServiceName&gt;[A-Za-z]+)" | rex field=_raw "Message\s\=\s(?&lt;Error_Message&gt;.+\:\s[A-Za-z0-9]+)" | rex field=_raw "failed:\s(?&lt;OrderNumber&gt;[A-Za-z0-9]+)" | rex field=_raw "httpStatusCode\s\=\s(?&lt;ResponseTime&gt;[0-9]+)" | rex field=_raw "ResponseTime\s\=\s(?&lt;Reason&gt;.+)" | table ServiceName Error_Message OrderNumber ResponseTime Reason | transpose 5 | rename "row 1" AS Value </LI-CODE><P>&nbsp;If instead you want "&lt;fieldname&gt;: &gt;fieldvalue&gt;", you have to use a similar search:</P><LI-CODE lang="markup">&lt;your_search&gt; | rex field=_raw "Site\|\_\_SYSTEM\__(?&lt;ServiceName&gt;[A-Za-z]+)" | rex field=_raw "Message\s\=\s(?&lt;Error_Message&gt;.+\:\s[A-Za-z0-9]+)" | rex field=_raw "failed:\s(?&lt;OrderNumber&gt;[A-Za-z0-9]+)" | rex field=_raw "httpStatusCode\s\=\s(?&lt;ResponseTime&gt;[0-9]+)" | rex field=_raw "ResponseTime\s\=\s(?&lt;Reason&gt;.+)" | eval ServiceName="ServiceName: ".ServiceName, Error_Message="Error_Message: ".Error_Message, OrderNumber="OrderNumber: ".OrderNumber, ResponseTime="ResponseTime: ".ResponseTime, Reason="Reason: ".Reason | table ServiceName Error_Message OrderNumber ResponseTime Reason | transpose 5 | rename "row 1" AS Value | table Value</LI-CODE><P>Ciao.</P><P>Giuseppe</P> Thu, 06 Oct 2022 06:53:48 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-SPL-How-do-I-use-regex-to-create-an-alert/m-p/616097#M214102 gcusello 2022-10-06T06:53:48Z https://community.splunk.com/t5/Splunk-Search/Splunk-SPL-How-do-I-use-regex-to-create-an-alert/m-p/616111#M214109 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/161352">@gcusello</a>&nbsp;I tried some workarounds. And I succeed what I want to achieve, that is highlighted in the yellow.</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="uagraw01_0-1665048097229.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/21914i63EDBAD680CA9223/image-size/medium?v=v2&amp;px=400" role="button" title="uagraw01_0-1665048097229.png" alt="uagraw01_0-1665048097229.png" /></span></P><P>&nbsp;</P> Thu, 06 Oct 2022 09:16:15 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-SPL-How-do-I-use-regex-to-create-an-alert/m-p/616111#M214109 uagraw01 2022-10-06T09:16:15Z https://community.splunk.com/t5/Splunk-Search/Splunk-SPL-How-do-I-use-regex-to-create-an-alert/m-p/616112#M214110 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/70277">@uagraw01</a>,</P><P>good for you, but this is a different output than the one you shared.</P><P>why my solution doesn't work for you, what's the problem?</P><P>tell me if you need more help, otherwise, please accept one answer for the other people of Community.</P><P>Ciao.</P><P>Giuseppe</P><P>P.S.: Karma Points are appreciated <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Thu, 06 Oct 2022 09:20:38 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-SPL-How-do-I-use-regex-to-create-an-alert/m-p/616112#M214110 gcusello 2022-10-06T09:20:38Z