topic Re: Need Help in extraction of multiple file names from an event and add it as a separate field using rex command in Splunk Search https://community.splunk.com/t5/Splunk-Search/How-can-I-extract-multiple-file-names-from-an-event-and-add-it/m-p/646965#M223932 <P>HI IT Whisperer,</P><P>Thanks for your response. As mentioned by you, below is the raw event.</P><P><SPAN>{"<SPAN class="">timestamp</SPAN>"<SPAN class="">:</SPAN>&nbsp;"<SPAN class="">2023-06-13T09:35:27.498033Z</SPAN>", "<SPAN class="">level</SPAN>"<SPAN class="">:</SPAN>&nbsp;"<SPAN class="">INFO</SPAN>", "<SPAN class="">filename</SPAN>"<SPAN class="">:</SPAN>&nbsp;"<SPAN class="">splunk_sample_csv.py</SPAN>", "<SPAN class="">funcName</SPAN>"<SPAN class="">:</SPAN>&nbsp;"<SPAN class="">main</SPAN>", "<SPAN class="">lineno</SPAN>"<SPAN class="">:</SPAN>&nbsp;<SPAN class="">38</SPAN>, "<SPAN class="">message</SPAN>"<SPAN class="">:</SPAN>&nbsp;"<SPAN class="">Dataframe</SPAN>&nbsp;<SPAN class="">row</SPAN>&nbsp;<SPAN class="">:</SPAN>&nbsp;{<SPAN class="">\</SPAN>"<SPAN class="">_c0\</SPAN>"<SPAN class="">:</SPAN>{<SPAN class="">\</SPAN>"<SPAN class="">0\</SPAN>"<SPAN class=""><span class="lia-unicode-emoji" title=":confused_face:">😕</span></SPAN>"{<SPAN class="">\</SPAN>",<SPAN class="">\</SPAN>"<SPAN class="">1\</SPAN>"<SPAN class=""><span class="lia-unicode-emoji" title=":confused_face:">😕</span></SPAN>"&nbsp;<SPAN class=""><A target="_blank" rel="noopener noreferrer">\\\"Timestamp\\\</A></SPAN>"<SPAN class="">:</SPAN>&nbsp;<SPAN class=""><A target="_blank" rel="noopener noreferrer">\\\"2023\\/06\\/13</A></SPAN>&nbsp;<SPAN class="">11:22:45\\\</SPAN>"<SPAN class="">\</SPAN>",<SPAN class="">\</SPAN>"<SPAN class="">2\</SPAN>"<SPAN class=""><span class="lia-unicode-emoji" title=":confused_face:">😕</span></SPAN>"&nbsp;<SPAN class=""><A target="_blank" rel="noopener noreferrer">\\\"status\\\</A></SPAN>"<SPAN class="">:</SPAN>&nbsp;<SPAN class=""><A target="_blank" rel="noopener noreferrer">\\\"files</A></SPAN>&nbsp;</SPAN><SPAN class=""><SPAN>arrived</SPAN></SPAN><SPAN class=""><SPAN>\\\</SPAN></SPAN><SPAN>"<SPAN class="">\</SPAN>",<SPAN class="">\</SPAN>"<SPAN class="">3\</SPAN>"<SPAN class=""><span class="lia-unicode-emoji" title=":confused_face:">😕</span></SPAN>"&nbsp;<SPAN class=""><A target="_blank" rel="noopener noreferrer">\\\"files\\\</A></SPAN>"<SPAN class="">:</SPAN>&nbsp;[<SPAN class="">\</SPAN>",<SPAN class="">\</SPAN>"<SPAN class="">4\</SPAN>"<SPAN class=""><span class="lia-unicode-emoji" title=":confused_face:">😕</span></SPAN>"&nbsp;<SPAN class=""><A target="_blank" rel="noopener noreferrer">\\\"PAKS_FACT_DWH2_D20220221.ok\\\"\",\"5\":\</A></SPAN>"&nbsp;<SPAN class=""><A target="_blank" rel="noopener noreferrer">\\\"PAKS_UBER_DWH2_D20220221.ok\\\"\",\"6\":\</A></SPAN>"&nbsp;<SPAN class=""><A target="_blank" rel="noopener noreferrer">\\\"HHE_SIT_check_file1.txt.ok\\\"\",\"7\":\</A></SPAN>"&nbsp;<SPAN class=""><A target="_blank" rel="noopener noreferrer">\\\"HHE_SIT_check_file2.txt.ok\\\"\",\"8\":\</A></SPAN>"&nbsp;<SPAN class=""><A target="_blank" rel="noopener noreferrer">\\\"HHE_SIT_check_file3.txt.ok\\\"\",\"9\":\</A></SPAN>"&nbsp;<SPAN class=""><A target="_blank" rel="noopener noreferrer">\\\"PAKS_FACT_DWH2_D20220412.ok\\\"\",\"10\":\</A></SPAN>"&nbsp;<SPAN class=""><A target="_blank" rel="noopener noreferrer">\\\"PAKS_FACT_DWH2_D20220420.ok\\\"\",\"11\":\</A></SPAN>"&nbsp;<SPAN class=""><A target="_blank" rel="noopener noreferrer">\\\"PAKS_FACT_DWH2_D20211223.ok\\\"\",\"12\":\</A></SPAN>"&nbsp;<SPAN class=""><A target="_blank" rel="noopener noreferrer">\\\"PAKS_FACT_DWH2_D20211224.ok\\\"\",\"13\":\</A></SPAN>"&nbsp;<SPAN class=""><A target="_blank" rel="noopener noreferrer">\\\"PAKS_FACT_DWH2_D20211225.ok\\\"\",\"14\":\</A></SPAN>"&nbsp;<SPAN class=""><A target="_blank" rel="noopener noreferrer">\\\"NOSPKP2P_DLY_NOK_D230708.ok\\\"\",\"15\":\</A></SPAN>"&nbsp;<SPAN class=""><A target="_blank" rel="noopener noreferrer">\\\"DUMMY_DLY_NOK_D230613.ok\\\"\",\"16\":\</A></SPAN>"&nbsp;<SPAN class=""><A target="_blank" rel="noopener noreferrer">\\\"DUMMY_TEST_DLY_NOK_D230613.ok\\\"\",\"17\":\</A></SPAN>"&nbsp;<SPAN class=""><A target="_blank" rel="noopener noreferrer">\\\"TLX2DB.PROVD.DREAM_12.ok\\\"\",\"18\":\</A></SPAN>"&nbsp;<SPAN class=""><A target="_blank" rel="noopener noreferrer">\\\"TLX2DB.PROVD.DREAM_152.ok\\\"\",\"19\":\</A></SPAN>"&nbsp;<SPAN class=""><A target="_blank" rel="noopener noreferrer">\\\"TLX2DB.PROVD.DREAM_2023-04-19-04.04.32.679000.csv.ok\\\"\",\"20\":\</A></SPAN>"&nbsp;<SPAN class=""><A target="_blank" rel="noopener noreferrer">\\\"TLX2DB.PROVD.DREAM_2023-04-20-05.09.39.679000.csv.ok\\\"\",\"21\":\</A></SPAN>"&nbsp;<SPAN class=""><A target="_blank" rel="noopener noreferrer">\\\"TLX2DB.PROVD.DREAM_2023-04-18-05.09.39.679000.csv.ok\\\"\",\"22\":\</A></SPAN>" ]<SPAN class="">\</SPAN>",<SPAN class="">\</SPAN>"<SPAN class="">23\</SPAN>"<SPAN class=""><span class="lia-unicode-emoji" title=":confused_face:">😕</span></SPAN>"}<SPAN class="">\</SPAN>"}} ", "<SPAN class="">process</SPAN>"<SPAN class="">:</SPAN>&nbsp;<SPAN class="">32633</SPAN>, "<SPAN class="">processName</SPAN>"<SPAN class="">:</SPAN>&nbsp;"<SPAN class="">MainProcess</SPAN>"}</SPAN></P><P><SPAN>I tried to extract the file names like&nbsp;&nbsp;<SPAN class=""><A target="_blank" rel="noopener noreferrer">PAKS_FACT_DWH2_D20220221.ok</A>,&nbsp;<A target="_blank" rel="noopener noreferrer">PAKS_UBER_DWH2_D20220221.ok</A>,&nbsp;<A target="_blank" rel="noopener noreferrer">HHE_SIT_check_file1.txt.ok</A>,&nbsp;<A target="_blank" rel="noopener noreferrer">HHE_SIT_check_file2.txt.ok</A>,&nbsp;<A target="_blank" rel="noopener noreferrer">HHE_SIT_check_file3.txt.ok </A></SPAN></SPAN></P><P><SPAN><SPAN class="">separately and add them as a separate field using the below query&nbsp;</SPAN></SPAN></P><P><SPAN><SPAN class="">index= app_events_dwh2_de_int | rex max_match=0 "\\\\\\\\\\\\\"files\\\\\\\\\\\\\":\s*\\\\\\\\\\\\\"(?&lt;File_Arrived&gt;[^\\\]+)"</SPAN></SPAN></P><P><SPAN><SPAN class="">but this doesn't worked. Please help us on this issue.</SPAN></SPAN></P> Wed, 14 Jun 2023 12:20:34 GMT Renunaren 2023-06-14T12:20:34Z How can I extract multiple file names from an event and add it as a separate field using rex command? https://community.splunk.com/t5/Splunk-Search/How-can-I-extract-multiple-file-names-from-an-event-and-add-it/m-p/646957#M223926 <P>Hi Team,</P> <P>We have a raw event where the message field consists of multiple file names, we want to extract those and add them as a separate field. Please help us on this. Below is the sample event for reference.</P> <P><SPAN>{"<SPAN class="">timestamp</SPAN>"<SPAN class="">:</SPAN>&nbsp;"<SPAN class="">2023-06-13T09:35:27.498033Z</SPAN>", "<SPAN class="">level</SPAN>"<SPAN class="">:</SPAN>&nbsp;"<SPAN class="">INFO</SPAN>", "<SPAN class="">filename</SPAN>"<SPAN class="">:</SPAN>&nbsp;"<SPAN class="">splunk_sample_csv.py</SPAN>", "<SPAN class="">funcName</SPAN>"<SPAN class="">:</SPAN>&nbsp;"<SPAN class="">main</SPAN>", "<SPAN class="">lineno</SPAN>"<SPAN class="">:</SPAN>&nbsp;<SPAN class="">38</SPAN>, "<SPAN class="">message</SPAN>"<SPAN class="">:</SPAN>&nbsp;"<SPAN class="">Dataframe</SPAN>&nbsp;<SPAN class="">row</SPAN>&nbsp;<SPAN class="">:</SPAN>&nbsp;{<SPAN class="">\</SPAN>"<SPAN class="">_c0\</SPAN>"<SPAN class="">:</SPAN>{<SPAN class="">\</SPAN>"<SPAN class="">0\</SPAN>"<SPAN class=""><span class="lia-unicode-emoji" title=":confused_face:">😕</span></SPAN>"{<SPAN class="">\</SPAN>",<SPAN class="">\</SPAN>"<SPAN class="">1\</SPAN>"<SPAN class=""><span class="lia-unicode-emoji" title=":confused_face:">😕</span></SPAN>"&nbsp;<SPAN class=""><A target="_blank" rel="noopener noreferrer">\\\"Timestamp\\\</A></SPAN>"<SPAN class="">:</SPAN>&nbsp;<SPAN class=""><A target="_blank" rel="noopener noreferrer">\\\"2023\\/06\\/13</A></SPAN>&nbsp;<SPAN class="">11:22:45\\\</SPAN>"<SPAN class="">\</SPAN>",<SPAN class="">\</SPAN>"<SPAN class="">2\</SPAN>"<SPAN class=""><span class="lia-unicode-emoji" title=":confused_face:">😕</span></SPAN>"&nbsp;<SPAN class=""><A target="_blank" rel="noopener noreferrer">\\\"status\\\</A></SPAN>"<SPAN class="">:</SPAN>&nbsp;<SPAN class=""><A target="_blank" rel="noopener noreferrer">\\\"files</A></SPAN>&nbsp;</SPAN><SPAN class=""><SPAN>arrived</SPAN></SPAN><SPAN class=""><SPAN>\\\</SPAN></SPAN><SPAN>"<SPAN class="">\</SPAN>",<SPAN class="">\</SPAN>"<SPAN class="">3\</SPAN>"<SPAN class=""><span class="lia-unicode-emoji" title=":confused_face:">😕</span></SPAN>"&nbsp;<SPAN class=""><A target="_blank" rel="noopener noreferrer">\\\"files\\\</A></SPAN>"<SPAN class="">:</SPAN>&nbsp;[<SPAN class="">\</SPAN>",<SPAN class="">\</SPAN>"<SPAN class="">4\</SPAN>"<SPAN class=""><span class="lia-unicode-emoji" title=":confused_face:">😕</span></SPAN>"&nbsp;<SPAN class=""><A target="_blank" rel="noopener noreferrer">\\\"PAKS_FACT_DWH2_D20220221.ok\\\"\",\"5\":\</A></SPAN>"&nbsp;<SPAN class=""><A target="_blank" rel="noopener noreferrer">\\\"PAKS_UBER_DWH2_D20220221.ok\\\"\",\"6\":\</A></SPAN>"&nbsp;<SPAN class=""><A target="_blank" rel="noopener noreferrer">\\\"HHE_SIT_check_file1.txt.ok\\\"\",\"7\":\</A></SPAN>"&nbsp;<SPAN class=""><A target="_blank" rel="noopener noreferrer">\\\"HHE_SIT_check_file2.txt.ok\\\"\",\"8\":\</A></SPAN>"&nbsp;<SPAN class=""><A target="_blank" rel="noopener noreferrer">\\\"HHE_SIT_check_file3.txt.ok\\\"\",\"9\":\</A></SPAN>"&nbsp;<SPAN class=""><A target="_blank" rel="noopener noreferrer">\\\"PAKS_FACT_DWH2_D20220412.ok\\\"\",\"10\":\</A></SPAN>"&nbsp;<SPAN class=""><A target="_blank" rel="noopener noreferrer">\\\"PAKS_FACT_DWH2_D20220420.ok\\\"\",\"11\":\</A></SPAN>"&nbsp;<SPAN class=""><A target="_blank" rel="noopener noreferrer">\\\"PAKS_FACT_DWH2_D20211223.ok\\\"\",\"12\":\</A></SPAN>"&nbsp;<SPAN class=""><A target="_blank" rel="noopener noreferrer">\\\"PAKS_FACT_DWH2_D20211224.ok\\\"\",\"13\":\</A></SPAN>" ]<SPAN class="">\</SPAN>",<SPAN class="">\</SPAN>"<SPAN class="">23\</SPAN>"<SPAN class=""><span class="lia-unicode-emoji" title=":confused_face:">😕</span></SPAN>"}<SPAN class="">\</SPAN>"}} ", "<SPAN class="">process</SPAN>"<SPAN class="">:</SPAN>&nbsp;<SPAN class="">32633</SPAN>, "<SPAN class="">processName</SPAN>"<SPAN class="">:</SPAN>&nbsp;"<SPAN class="">MainProcess</SPAN>"}</SPAN></P> <P><SPAN>Below is the sample SPL command used for this purpose.</SPAN></P> <P><SPAN>index= app_events_dwh2_de_int | rex max_match=0 "\\\\\\\\\\\\\"files\\\\\\\\\\\\\":\s*\\\\\\\\\\\\\"(?&lt;File_Arrived&gt;[^\\\]+)"</SPAN></P> <P><SPAN>Please help us on this.</SPAN></P> <P>&nbsp;</P> Thu, 15 Jun 2023 20:20:20 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-extract-multiple-file-names-from-an-event-and-add-it/m-p/646957#M223926 Renunaren 2023-06-15T20:20:20Z Re: Need Help in extraction of multiple file names from an event and add it as a separate field using rex command https://community.splunk.com/t5/Splunk-Search/How-can-I-extract-multiple-file-names-from-an-event-and-add-it/m-p/646959#M223928 <P>Please repost your raw event in a code block &lt;/&gt; so that it doesn't get corrupted by formatting&nbsp;</P> Wed, 14 Jun 2023 11:55:42 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-extract-multiple-file-names-from-an-event-and-add-it/m-p/646959#M223928 ITWhisperer 2023-06-14T11:55:42Z Re: Need Help in extraction of multiple file names from an event and add it as a separate field using rex command https://community.splunk.com/t5/Splunk-Search/How-can-I-extract-multiple-file-names-from-an-event-and-add-it/m-p/646965#M223932 <P>HI IT Whisperer,</P><P>Thanks for your response. As mentioned by you, below is the raw event.</P><P><SPAN>{"<SPAN class="">timestamp</SPAN>"<SPAN class="">:</SPAN>&nbsp;"<SPAN class="">2023-06-13T09:35:27.498033Z</SPAN>", "<SPAN class="">level</SPAN>"<SPAN class="">:</SPAN>&nbsp;"<SPAN class="">INFO</SPAN>", "<SPAN class="">filename</SPAN>"<SPAN class="">:</SPAN>&nbsp;"<SPAN class="">splunk_sample_csv.py</SPAN>", "<SPAN class="">funcName</SPAN>"<SPAN class="">:</SPAN>&nbsp;"<SPAN class="">main</SPAN>", "<SPAN class="">lineno</SPAN>"<SPAN class="">:</SPAN>&nbsp;<SPAN class="">38</SPAN>, "<SPAN class="">message</SPAN>"<SPAN class="">:</SPAN>&nbsp;"<SPAN class="">Dataframe</SPAN>&nbsp;<SPAN class="">row</SPAN>&nbsp;<SPAN class="">:</SPAN>&nbsp;{<SPAN class="">\</SPAN>"<SPAN class="">_c0\</SPAN>"<SPAN class="">:</SPAN>{<SPAN class="">\</SPAN>"<SPAN class="">0\</SPAN>"<SPAN class=""><span class="lia-unicode-emoji" title=":confused_face:">😕</span></SPAN>"{<SPAN class="">\</SPAN>",<SPAN class="">\</SPAN>"<SPAN class="">1\</SPAN>"<SPAN class=""><span class="lia-unicode-emoji" title=":confused_face:">😕</span></SPAN>"&nbsp;<SPAN class=""><A target="_blank" rel="noopener noreferrer">\\\"Timestamp\\\</A></SPAN>"<SPAN class="">:</SPAN>&nbsp;<SPAN class=""><A target="_blank" rel="noopener noreferrer">\\\"2023\\/06\\/13</A></SPAN>&nbsp;<SPAN class="">11:22:45\\\</SPAN>"<SPAN class="">\</SPAN>",<SPAN class="">\</SPAN>"<SPAN class="">2\</SPAN>"<SPAN class=""><span class="lia-unicode-emoji" title=":confused_face:">😕</span></SPAN>"&nbsp;<SPAN class=""><A target="_blank" rel="noopener noreferrer">\\\"status\\\</A></SPAN>"<SPAN class="">:</SPAN>&nbsp;<SPAN class=""><A target="_blank" rel="noopener noreferrer">\\\"files</A></SPAN>&nbsp;</SPAN><SPAN class=""><SPAN>arrived</SPAN></SPAN><SPAN class=""><SPAN>\\\</SPAN></SPAN><SPAN>"<SPAN class="">\</SPAN>",<SPAN class="">\</SPAN>"<SPAN class="">3\</SPAN>"<SPAN class=""><span class="lia-unicode-emoji" title=":confused_face:">😕</span></SPAN>"&nbsp;<SPAN class=""><A target="_blank" rel="noopener noreferrer">\\\"files\\\</A></SPAN>"<SPAN class="">:</SPAN>&nbsp;[<SPAN class="">\</SPAN>",<SPAN class="">\</SPAN>"<SPAN class="">4\</SPAN>"<SPAN class=""><span class="lia-unicode-emoji" title=":confused_face:">😕</span></SPAN>"&nbsp;<SPAN class=""><A target="_blank" rel="noopener noreferrer">\\\"PAKS_FACT_DWH2_D20220221.ok\\\"\",\"5\":\</A></SPAN>"&nbsp;<SPAN class=""><A target="_blank" rel="noopener noreferrer">\\\"PAKS_UBER_DWH2_D20220221.ok\\\"\",\"6\":\</A></SPAN>"&nbsp;<SPAN class=""><A target="_blank" rel="noopener noreferrer">\\\"HHE_SIT_check_file1.txt.ok\\\"\",\"7\":\</A></SPAN>"&nbsp;<SPAN class=""><A target="_blank" rel="noopener noreferrer">\\\"HHE_SIT_check_file2.txt.ok\\\"\",\"8\":\</A></SPAN>"&nbsp;<SPAN class=""><A target="_blank" rel="noopener noreferrer">\\\"HHE_SIT_check_file3.txt.ok\\\"\",\"9\":\</A></SPAN>"&nbsp;<SPAN class=""><A target="_blank" rel="noopener noreferrer">\\\"PAKS_FACT_DWH2_D20220412.ok\\\"\",\"10\":\</A></SPAN>"&nbsp;<SPAN class=""><A target="_blank" rel="noopener noreferrer">\\\"PAKS_FACT_DWH2_D20220420.ok\\\"\",\"11\":\</A></SPAN>"&nbsp;<SPAN class=""><A target="_blank" rel="noopener noreferrer">\\\"PAKS_FACT_DWH2_D20211223.ok\\\"\",\"12\":\</A></SPAN>"&nbsp;<SPAN class=""><A target="_blank" rel="noopener noreferrer">\\\"PAKS_FACT_DWH2_D20211224.ok\\\"\",\"13\":\</A></SPAN>"&nbsp;<SPAN class=""><A target="_blank" rel="noopener noreferrer">\\\"PAKS_FACT_DWH2_D20211225.ok\\\"\",\"14\":\</A></SPAN>"&nbsp;<SPAN class=""><A target="_blank" rel="noopener noreferrer">\\\"NOSPKP2P_DLY_NOK_D230708.ok\\\"\",\"15\":\</A></SPAN>"&nbsp;<SPAN class=""><A target="_blank" rel="noopener noreferrer">\\\"DUMMY_DLY_NOK_D230613.ok\\\"\",\"16\":\</A></SPAN>"&nbsp;<SPAN class=""><A target="_blank" rel="noopener noreferrer">\\\"DUMMY_TEST_DLY_NOK_D230613.ok\\\"\",\"17\":\</A></SPAN>"&nbsp;<SPAN class=""><A target="_blank" rel="noopener noreferrer">\\\"TLX2DB.PROVD.DREAM_12.ok\\\"\",\"18\":\</A></SPAN>"&nbsp;<SPAN class=""><A target="_blank" rel="noopener noreferrer">\\\"TLX2DB.PROVD.DREAM_152.ok\\\"\",\"19\":\</A></SPAN>"&nbsp;<SPAN class=""><A target="_blank" rel="noopener noreferrer">\\\"TLX2DB.PROVD.DREAM_2023-04-19-04.04.32.679000.csv.ok\\\"\",\"20\":\</A></SPAN>"&nbsp;<SPAN class=""><A target="_blank" rel="noopener noreferrer">\\\"TLX2DB.PROVD.DREAM_2023-04-20-05.09.39.679000.csv.ok\\\"\",\"21\":\</A></SPAN>"&nbsp;<SPAN class=""><A target="_blank" rel="noopener noreferrer">\\\"TLX2DB.PROVD.DREAM_2023-04-18-05.09.39.679000.csv.ok\\\"\",\"22\":\</A></SPAN>" ]<SPAN class="">\</SPAN>",<SPAN class="">\</SPAN>"<SPAN class="">23\</SPAN>"<SPAN class=""><span class="lia-unicode-emoji" title=":confused_face:">😕</span></SPAN>"}<SPAN class="">\</SPAN>"}} ", "<SPAN class="">process</SPAN>"<SPAN class="">:</SPAN>&nbsp;<SPAN class="">32633</SPAN>, "<SPAN class="">processName</SPAN>"<SPAN class="">:</SPAN>&nbsp;"<SPAN class="">MainProcess</SPAN>"}</SPAN></P><P><SPAN>I tried to extract the file names like&nbsp;&nbsp;<SPAN class=""><A target="_blank" rel="noopener noreferrer">PAKS_FACT_DWH2_D20220221.ok</A>,&nbsp;<A target="_blank" rel="noopener noreferrer">PAKS_UBER_DWH2_D20220221.ok</A>,&nbsp;<A target="_blank" rel="noopener noreferrer">HHE_SIT_check_file1.txt.ok</A>,&nbsp;<A target="_blank" rel="noopener noreferrer">HHE_SIT_check_file2.txt.ok</A>,&nbsp;<A target="_blank" rel="noopener noreferrer">HHE_SIT_check_file3.txt.ok </A></SPAN></SPAN></P><P><SPAN><SPAN class="">separately and add them as a separate field using the below query&nbsp;</SPAN></SPAN></P><P><SPAN><SPAN class="">index= app_events_dwh2_de_int | rex max_match=0 "\\\\\\\\\\\\\"files\\\\\\\\\\\\\":\s*\\\\\\\\\\\\\"(?&lt;File_Arrived&gt;[^\\\]+)"</SPAN></SPAN></P><P><SPAN><SPAN class="">but this doesn't worked. Please help us on this issue.</SPAN></SPAN></P> Wed, 14 Jun 2023 12:20:34 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-extract-multiple-file-names-from-an-event-and-add-it/m-p/646965#M223932 Renunaren 2023-06-14T12:20:34Z Re: Need Help in extraction of multiple file names from an event and add it as a separate field using rex command https://community.splunk.com/t5/Splunk-Search/How-can-I-extract-multiple-file-names-from-an-event-and-add-it/m-p/646971#M223934 <P>By not putting your event in a code block &lt;/&gt; as requested it gets corrupted</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ITWhisperer_0-1686746848325.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/25827i18217EFCD2C9F3F6/image-size/medium?v=v2&amp;px=400" role="button" title="ITWhisperer_0-1686746848325.png" alt="ITWhisperer_0-1686746848325.png" /></span></P><P>Please use this button</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ITWhisperer_1-1686746905019.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/25828iE2CC65F2CFEA6D1D/image-size/medium?v=v2&amp;px=400" role="button" title="ITWhisperer_1-1686746905019.png" alt="ITWhisperer_1-1686746905019.png" /></span></P><P>to insert your example event</P> Wed, 14 Jun 2023 12:48:45 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-extract-multiple-file-names-from-an-event-and-add-it/m-p/646971#M223934 ITWhisperer 2023-06-14T12:48:45Z Re: Need Help in extraction of multiple file names from an event and add it as a separate field using rex command https://community.splunk.com/t5/Splunk-Search/How-can-I-extract-multiple-file-names-from-an-event-and-add-it/m-p/646977#M223938 <P>Hi IT Whisperer,</P><P>Thanks for your response. Please look into the sample event below.</P><LI-CODE lang="markup">{"timestamp": "2023-06-13T09:35:27.498033Z", "level": "INFO", "filename": "splunk_sample_csv.py", "funcName": "main", "lineno": 38, "message": "Dataframe row : {\"_c0\":{\"0\":\"{\",\"1\":\" \\\"Timestamp\\\": \\\"2023\\/06\\/13 11:22:45\\\"\",\"2\":\" \\\"status\\\": \\\"files arrived\\\"\",\"3\":\" \\\"files\\\": [\",\"4\":\" \\\"PAKS_FACT_DWH2_D20220221.ok\\\"\",\"5\":\" \\\"PAKS_UBER_DWH2_D20220221.ok\\\"\",\"6\":\" \\\"HHE_SIT_check_file1.txt.ok\\\"\",\"7\":\" \\\"HHE_SIT_check_file2.txt.ok\\\"\",\"8\":\" \\\"HHE_SIT_check_file3.txt.ok\\\"\",\"9\":\" \\\"PAKS_FACT_DWH2_D20220412.ok\\\"\",\"10\":\" \\\"PAKS_FACT_DWH2_D20220420.ok\\\"\",\"11\":\" \\\"PAKS_FACT_DWH2_D20211223.ok\\\"\",\"12\":\" \\\"PAKS_FACT_DWH2_D20211224.ok\\\"\",\"13\":\" \\\"PAKS_FACT_DWH2_D20211225.ok\\\"\",\"14\":\" \\\"NOSPKP2P_DLY_NOK_D230708.ok\\\"\",\"15\":\" \\\"DUMMY_DLY_NOK_D230613.ok\\\"\",\"16\":\" \\\"DUMMY_TEST_DLY_NOK_D230613.ok\\\"\",\"17\":\" \\\"TLX2DB.PROVD.DREAM_12.ok\\\"\",\"18\":\" \\\"TLX2DB.PROVD.DREAM_152.ok\\\"\",\"19\":\" \\\"TLX2DB.PROVD.DREAM_2023-04-19-04.04.32.679000.csv.ok\\\"\",\"20\":\" \\\"TLX2DB.PROVD.DREAM_2023-04-20-05.09.39.679000.csv.ok\\\"\",\"21\":\" \\\"TLX2DB.PROVD.DREAM_2023-04-18-05.09.39.679000.csv.ok\\\"\",\"22\":\" ]\",\"23\":\"}\"}} ", "process": 32633, "processName": "MainProcess"} </LI-CODE><P>Please look into the above code and kindly help us in extracting the file names like mentioned above using rex command.</P> Wed, 14 Jun 2023 13:01:55 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-extract-multiple-file-names-from-an-event-and-add-it/m-p/646977#M223938 Renunaren 2023-06-14T13:01:55Z Re: Need Help in extraction of multiple file names from an event and add it as a separate field using rex command https://community.splunk.com/t5/Splunk-Search/How-can-I-extract-multiple-file-names-from-an-event-and-add-it/m-p/646982#M223941 <P>First extract the list, then each file</P><LI-CODE lang="markup">| rex "(?:\"files[\\\\]+\": \[)(?&lt;fileslist&gt;[^\s:]+[^\]]+)" | rex field=fileslist max_match=0 "(?:[^\s:]+[^\s]+\s[\"\\\]+)(?&lt;files&gt;[^\\\]+)"</LI-CODE> Wed, 14 Jun 2023 14:14:14 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-extract-multiple-file-names-from-an-event-and-add-it/m-p/646982#M223941 ITWhisperer 2023-06-14T14:14:14Z