https://community.splunk.com/t5/Splunk-Search/instr-in-Splunk/m-p/691824#M235526 <P>Would you look at <STRONG>Payload </STRONG>parameter. Result has many strings with spaces.</P> Thu, 27 Jun 2024 08:58:33 GMT kp_pl 2024-06-27T08:58:33Z https://community.splunk.com/t5/Splunk-Search/instr-in-Splunk/m-p/691817#M235521 <P>Below is one of my fields. Quite complex,&nbsp; I know It could be divided to more atomic values .. but it is not <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span><BR /><BR /><EM>[AuditingPipelinePair, AuditingPipelinePair_response, AuditResponse, RESPONSE] [[</EM><BR /><EM>Tag = AUDIT-SUCCESS</EM><BR /><EM>Subject = "TAR_ID":"72503", "YEAR":"2106", "EQ_TY":"STD"</EM><BR /><EM>BXB ServiceTus TransactionId = sb-W10nXQte_ORf6PjJ4wQ#000000004</EM><BR /><EM>Message ID = afa9613.62eeaf42.N6b.1405404bdw7.N7e14</EM><BR /><EM>Service Ref = KlmSpsDictanaryS1/proxy/KlmSpsDictanary</EM><BR /><EM>Operation = getShareEquip</EM><BR /><EM>Protocol = KTTP</EM><BR /><EM>Client Address = 11.232.189.10</EM><BR /><EM>TransportDevel User = &lt;anonymous&gt;</EM><BR /><EM>MessageDevel User = dkd</EM><BR /><EM>Message Pode = 0</EM><BR /><EM>Payload = Dipis sb-W10wXDte_ORf6PjJde34wQ0004</EM><BR /><EM>]]</EM><BR /><BR />Anyway, some of (single Strings) values splunk separated automatically like <EM>Protocol</EM> or <EM>Operation.</EM> But how to extract (or even eval in query) parameter with space like&nbsp; "<EM>MessageDevel User"&nbsp;</EM> or<EM> "ClientAddress" ?<BR /><BR /></EM></P> Thu, 27 Jun 2024 07:03:49 GMT https://community.splunk.com/t5/Splunk-Search/instr-in-Splunk/m-p/691817#M235521 kp_pl 2024-06-27T07:03:49Z https://community.splunk.com/t5/Splunk-Search/instr-in-Splunk/m-p/691818#M235522 <P>You could use rex, something like this</P><LI-CODE lang="markup">| rex "MessageDevel User = (?&lt;MessageDevelUser&gt;\S+)"</LI-CODE> Thu, 27 Jun 2024 07:23:06 GMT https://community.splunk.com/t5/Splunk-Search/instr-in-Splunk/m-p/691818#M235522 ITWhisperer 2024-06-27T07:23:06Z https://community.splunk.com/t5/Splunk-Search/instr-in-Splunk/m-p/691819#M235523 <P>Not quite sure what you're asking but, there are several things you can do there:</P><P>If fields like "<EM>Client Address"</EM> are not extracted, you can do a rex command and then use the extracted fields in evals etc:</P><LI-CODE lang="markup">| rex "Client Address = (?&lt;address&gt;\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})" | eval address = ...</LI-CODE><P>If they are already extracted, but the field as a space you can do either:</P><LI-CODE lang="markup">| rename "Client Address" as ClientAddress |eval ClientAddress = ... or | eval "Client Address" = ...</LI-CODE><P>&nbsp;</P> Thu, 27 Jun 2024 07:24:26 GMT https://community.splunk.com/t5/Splunk-Search/instr-in-Splunk/m-p/691819#M235523 glc_slash_it 2024-06-27T07:24:26Z https://community.splunk.com/t5/Splunk-Search/instr-in-Splunk/m-p/691822#M235524 <P>I feel it could be a good solution but how to use it ?&nbsp; Should I extract new field with this regex ?&nbsp;</P> Thu, 27 Jun 2024 08:52:05 GMT https://community.splunk.com/t5/Splunk-Search/instr-in-Splunk/m-p/691822#M235524 kp_pl 2024-06-27T08:52:05Z https://community.splunk.com/t5/Splunk-Search/instr-in-Splunk/m-p/691823#M235525 <P>ok, got it !&nbsp; Works perfect <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P>&nbsp;</P><P>&nbsp;</P> Thu, 27 Jun 2024 08:54:14 GMT https://community.splunk.com/t5/Splunk-Search/instr-in-Splunk/m-p/691823#M235525 kp_pl 2024-06-27T08:54:14Z https://community.splunk.com/t5/Splunk-Search/instr-in-Splunk/m-p/691824#M235526 <P>Would you look at <STRONG>Payload </STRONG>parameter. Result has many strings with spaces.</P> Thu, 27 Jun 2024 08:58:33 GMT https://community.splunk.com/t5/Splunk-Search/instr-in-Splunk/m-p/691824#M235526 kp_pl 2024-06-27T08:58:33Z