https://community.splunk.com/t5/Splunk-Search/Extract-multiple-groups-rex-key-value-pairs-comma-separated/m-p/666287#M228569 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/160850">@ejwade</a>,</P><P>you should already have these extractions because usually Splunk identifies the groups fieldname=fieldvalue.</P><P>Anyway, please try this regex:</P><LI-CODE lang="markup">name\=\"(?&lt;name&gt;[^\"]*)\",value\=\[*\"(?&lt;values&gt;[^\"]*)</LI-CODE><P>that you can test at&nbsp;<A href="https://regex101.com/r/PEszES/1" target="_blank">https://regex101.com/r/PEszES/1</A></P><P>Ciao.</P><P>Giuseppe</P> Thu, 26 Oct 2023 06:27:19 GMT gcusello 2023-10-26T06:27:19Z https://community.splunk.com/t5/Splunk-Search/Extract-multiple-groups-rex-key-value-pairs-comma-separated/m-p/666279#M228567 <P>I'm looking for the regular expression wizards out there. I need to do a rex with two capture groups: one for name, and one for value. I plan to use the replace function, and throw everything else away but those two capture groups (e.g., "\1: \2").</P><P>Here are some sample events.</P><P>name="Building",value="Southwest",descendants_action="success",operation="OVERRIDE"<BR />name="Building",value=["Northeast","Northwest"],descendants_action="failure",operation="OVERRIDE"<BR />name="Building",value="Southeast",descendants_action="success",operation="OVERRIDE"<BR />name="Building",value="Northwest"<BR />name="Building",value="Northwest",operation="OVERRIDE"</P><P>So far I just have this.<BR />^name=\"(.*)\",value=\[?(.*)\]?</P><P>Any ideas?</P> Thu, 26 Oct 2023 03:37:37 GMT https://community.splunk.com/t5/Splunk-Search/Extract-multiple-groups-rex-key-value-pairs-comma-separated/m-p/666279#M228567 ejwade 2023-10-26T03:37:37Z https://community.splunk.com/t5/Splunk-Search/Extract-multiple-groups-rex-key-value-pairs-comma-separated/m-p/666287#M228569 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/160850">@ejwade</a>,</P><P>you should already have these extractions because usually Splunk identifies the groups fieldname=fieldvalue.</P><P>Anyway, please try this regex:</P><LI-CODE lang="markup">name\=\"(?&lt;name&gt;[^\"]*)\",value\=\[*\"(?&lt;values&gt;[^\"]*)</LI-CODE><P>that you can test at&nbsp;<A href="https://regex101.com/r/PEszES/1" target="_blank">https://regex101.com/r/PEszES/1</A></P><P>Ciao.</P><P>Giuseppe</P> Thu, 26 Oct 2023 06:27:19 GMT https://community.splunk.com/t5/Splunk-Search/Extract-multiple-groups-rex-key-value-pairs-comma-separated/m-p/666287#M228569 gcusello 2023-10-26T06:27:19Z https://community.splunk.com/t5/Splunk-Search/Extract-multiple-groups-rex-key-value-pairs-comma-separated/m-p/666317#M228584 <P>Try something along these lines</P><LI-CODE lang="markup">^name=\"([^\"]*)\",value=(\[([^\]]+)\]|\"[^\"]+\")(.*)</LI-CODE><P><A href="https://regex101.com/r/id6m8s/1" target="_blank">https://regex101.com/r/id6m8s/1</A></P> Thu, 26 Oct 2023 09:41:05 GMT https://community.splunk.com/t5/Splunk-Search/Extract-multiple-groups-rex-key-value-pairs-comma-separated/m-p/666317#M228584 ITWhisperer 2023-10-26T09:41:05Z