https://community.splunk.com/t5/Splunk-Search/Extracting-values-inside-of-a-which-are-separated-with-spaces/m-p/689601#M234976 <P>As&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225168">@ITWhisperer</a>&nbsp;says, "not working as expected", "doesn't work", etc., should be forbidden in this forum. &nbsp;More specifically, if your raw events contain things like&nbsp;"letterIdAndDeliveryIndicatorMap=[abc=P, efg=P, HijKlmno=E]", Splunk's default extraction should have given you <U>abc</U>, <U>efg</U>, <U>HijKlmlo</U> without you asking. (It also gives you a field&nbsp;letterIdAndDeliveryIndicatorMap.) If you do <FONT face="courier new,courier">table *</FONT>, what do you see?</P><P>Here is an emulation</P><LI-CODE lang="markup">| makeresults | eval _raw="letterIdAndDeliveryIndicatorMap=[abc=P, efg=P, HijKlmno=E]" | extract</LI-CODE><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot 2024-06-04 at 11.58.13 AM.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/31147iBEEFD8D0AFBF3F23/image-size/medium?v=v2&amp;px=400" role="button" title="Screenshot 2024-06-04 at 11.58.13 AM.png" alt="Screenshot 2024-06-04 at 11.58.13 AM.png" /></span></P><P> </P> Tue, 04 Jun 2024 19:00:26 GMT yuanliu 2024-06-04T19:00:26Z https://community.splunk.com/t5/Splunk-Search/Extracting-values-inside-of-a-which-are-separated-with-spaces/m-p/689588#M234967 <P>trying to use rex to get the contents for the field <SPAN>letterIdAndDeliveryIndicatorMap</SPAN>.</P><P>For example, Logged string&nbsp;<SPAN>letterIdAndDeliveryIndicatorMap=[abc=P, efg=P, HijKlmno=E]</SPAN></P><P><SPAN>I wan</SPAN><SPAN>t to extract the contents between the [] , which is&nbsp;abc=P, efg=P, HijKlmno=E and then find stats on them.</SPAN></P><P><SPAN>I was trying something like&nbsp;</SPAN></P><P><SPAN>rex&nbsp; field=_raw "letterIdAndDeliveryIndicatorMap=\[(?&lt;letterIdAry&gt;[^\] ]+)"</SPAN></P><P><SPAN>but, its not working as expected.</SPAN></P><P><SPAN>Thanks in advance!</SPAN></P><P>&nbsp;</P> Tue, 04 Jun 2024 16:38:50 GMT https://community.splunk.com/t5/Splunk-Search/Extracting-values-inside-of-a-which-are-separated-with-spaces/m-p/689588#M234967 RamMur 2024-06-04T16:38:50Z https://community.splunk.com/t5/Splunk-Search/Extracting-values-inside-of-a-which-are-separated-with-spaces/m-p/689592#M234971 <P>What do you mean by "not working as expected" (because it looks like you should have extracted something at least)?</P> Tue, 04 Jun 2024 16:58:48 GMT https://community.splunk.com/t5/Splunk-Search/Extracting-values-inside-of-a-which-are-separated-with-spaces/m-p/689592#M234971 ITWhisperer 2024-06-04T16:58:48Z https://community.splunk.com/t5/Splunk-Search/Extracting-values-inside-of-a-which-are-separated-with-spaces/m-p/689593#M234972 <P>yes, found that my regex had a space between ]], once fixed, was able to extract them as "<SPAN>abc=P, efg=P, HijKlmno=E"</SPAN> , thanks. next trying to get stats on count of&nbsp;<SPAN>abc=P.</SPAN></P> Tue, 04 Jun 2024 17:03:59 GMT https://community.splunk.com/t5/Splunk-Search/Extracting-values-inside-of-a-which-are-separated-with-spaces/m-p/689593#M234972 RamMur 2024-06-04T17:03:59Z https://community.splunk.com/t5/Splunk-Search/Extracting-values-inside-of-a-which-are-separated-with-spaces/m-p/689595#M234973 <P>You should be able to use the split function after extracting which will convert it to a MV field and then utilize a stats against that MV field.<BR />Something like this<BR /><BR /></P><LI-CODE lang="markup">&lt;base_search&gt; | rex field=_raw "letterIdAndDeliveryIndicatorMap=\[(?&lt;letterIdAry&gt;[^\]]+)" | eval letterIdAry=split(letterIdAry, ","), letterIdAry=case( mvcount(letterIdAry)==1, trim(letterIdAry, " "), mvcount(letterIdAry)&gt;1, mvmap(letterIdAry, trim(letterIdAry, " ")) ) | stats count as event_count by letterIdAry</LI-CODE><P><BR />Example output:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="dtburrows3_0-1717523007986.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/31146i658F3A87C5436B2C/image-size/medium?v=v2&amp;px=400" role="button" title="dtburrows3_0-1717523007986.png" alt="dtburrows3_0-1717523007986.png" /></span></P><P>&nbsp;</P> Tue, 04 Jun 2024 17:43:36 GMT https://community.splunk.com/t5/Splunk-Search/Extracting-values-inside-of-a-which-are-separated-with-spaces/m-p/689595#M234973 dtburrows3 2024-06-04T17:43:36Z https://community.splunk.com/t5/Splunk-Search/Extracting-values-inside-of-a-which-are-separated-with-spaces/m-p/689601#M234976 <P>As&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225168">@ITWhisperer</a>&nbsp;says, "not working as expected", "doesn't work", etc., should be forbidden in this forum. &nbsp;More specifically, if your raw events contain things like&nbsp;"letterIdAndDeliveryIndicatorMap=[abc=P, efg=P, HijKlmno=E]", Splunk's default extraction should have given you <U>abc</U>, <U>efg</U>, <U>HijKlmlo</U> without you asking. (It also gives you a field&nbsp;letterIdAndDeliveryIndicatorMap.) If you do <FONT face="courier new,courier">table *</FONT>, what do you see?</P><P>Here is an emulation</P><LI-CODE lang="markup">| makeresults | eval _raw="letterIdAndDeliveryIndicatorMap=[abc=P, efg=P, HijKlmno=E]" | extract</LI-CODE><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot 2024-06-04 at 11.58.13 AM.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/31147iBEEFD8D0AFBF3F23/image-size/medium?v=v2&amp;px=400" role="button" title="Screenshot 2024-06-04 at 11.58.13 AM.png" alt="Screenshot 2024-06-04 at 11.58.13 AM.png" /></span></P><P> </P> Tue, 04 Jun 2024 19:00:26 GMT https://community.splunk.com/t5/Splunk-Search/Extracting-values-inside-of-a-which-are-separated-with-spaces/m-p/689601#M234976 yuanliu 2024-06-04T19:00:26Z