https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-csv-data-fields-message-data-into-fields/m-p/695138#M236400 <P>partially&nbsp;<BR />Where we had "Example"<BR />It can sometimes be other words<BR />so its not capturing everything from&nbsp;&nbsp;<SPAN>([</SPAN></P> Fri, 02 Aug 2024 22:00:06 GMT Cheng2Ready 2024-08-02T22:00:06Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-csv-data-fields-message-data-into-fields/m-p/695114#M236392 <P>I have a field message that when<BR />I run the search</P> <LI-CODE lang="markup">index=example123 host=5566 |search "*specials word*" I table message</LI-CODE> <P><BR />it displays as an example below:&nbsp;<BR /><BR />2024-08-02 16:45:21- INFO Example (['test1' , 'test2', 'test3', 'test4', 'test5', 'test6', 'test7)'] , <SPAN>['Medium', 'Large ', 'Small', 'Small ', 'Large ', 'Large ', 'Large '])<BR /><BR /></SPAN>Is there a way to run a command so that the data in the field "Message"&nbsp; can be extracted into their own fields or displayed like this matching 1:1 on a table&nbsp;<BR /><BR /><BR /><BR />test1&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;test2&nbsp; &nbsp; &nbsp; &nbsp;test3&nbsp; &nbsp; &nbsp; &nbsp; test4&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;test5&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;test6&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; test7<BR /><SPAN>Medium&nbsp; &nbsp; &nbsp;Large&nbsp; &nbsp; &nbsp; Small&nbsp; &nbsp; &nbsp; &nbsp; Small&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;Large&nbsp; &nbsp; &nbsp; &nbsp; Large&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; Large<BR /><BR /></SPAN>or<BR /><BR />test1 =&nbsp;<SPAN>Medium&nbsp;<BR /></SPAN>test2=&nbsp;<SPAN>Large&nbsp;<BR />test3 =&nbsp;Small<BR />.... ect</SPAN></P> <P>&nbsp;</P> Fri, 02 Aug 2024 23:11:46 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-csv-data-fields-message-data-into-fields/m-p/695114#M236392 Cheng2Ready 2024-08-02T23:11:46Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-csv-data-fields-message-data-into-fields/m-p/695121#M236395 <P>Assuming your real events don't have brackets in the names, try something like this</P><LI-CODE lang="markup">| rex "Example \(\[(?&lt;keys&gt;[^\]]*)\]\s*,\s*\[(?&lt;values&gt;[^\]]*)\]\)" | rex max_match=0 field=keys "'(?&lt;key&gt;[^']+)'" | rex max_match=0 field=values "'(?&lt;value&gt;[^']+)'" | table key value | eval pairs=mvzip(key, value, "=")</LI-CODE> Fri, 02 Aug 2024 18:40:29 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-csv-data-fields-message-data-into-fields/m-p/695121#M236395 ITWhisperer 2024-08-02T18:40:29Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-csv-data-fields-message-data-into-fields/m-p/695127#M236397 <P>Thank you for your prompt response<BR />I have different container names<BR />example replacing<BR /><BR /><SPAN>'test1' , 'test2', 'test3', 'test4', 'test5', 'test6', 'test7<BR /><BR /></SPAN>to as an example<BR /><BR /><SPAN>'x99_846' , 'beacon score', 'account count', '', 'credit_transactions', 'status_active_years', 'current'<BR /><BR /></SPAN>ect</P> Fri, 02 Aug 2024 20:11:08 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-csv-data-fields-message-data-into-fields/m-p/695127#M236397 Cheng2Ready 2024-08-02T20:11:08Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-csv-data-fields-message-data-into-fields/m-p/695128#M236398 <P>Does the search work for you?</P> Fri, 02 Aug 2024 20:17:36 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-csv-data-fields-message-data-into-fields/m-p/695128#M236398 ITWhisperer 2024-08-02T20:17:36Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-csv-data-fields-message-data-into-fields/m-p/695138#M236400 <P>partially&nbsp;<BR />Where we had "Example"<BR />It can sometimes be other words<BR />so its not capturing everything from&nbsp;&nbsp;<SPAN>([</SPAN></P> Fri, 02 Aug 2024 22:00:06 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-csv-data-fields-message-data-into-fields/m-p/695138#M236400 Cheng2Ready 2024-08-02T22:00:06Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-csv-data-fields-message-data-into-fields/m-p/695143#M236401 <P>I think I found the answer<BR />| rex field="Example" seemed to work<BR /><BR /><BR /></P><P>Thank you</P> Fri, 02 Aug 2024 23:49:54 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-csv-data-fields-message-data-into-fields/m-p/695143#M236401 Cheng2Ready 2024-08-02T23:49:54Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-csv-data-fields-message-data-into-fields/m-p/695151#M236406 <P>It is often quicker if you give accurate representations of your real data, not just made up names, but good that you worked out how to fix it.</P> Sat, 03 Aug 2024 06:39:19 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-csv-data-fields-message-data-into-fields/m-p/695151#M236406 ITWhisperer 2024-08-03T06:39:19Z