https://community.splunk.com/t5/Splunk-Search/How-to-extract-two-fields-with-the-same-field-name-from-a/m-p/146746#M41000 <P>Hi, If you are using rex command, try this:</P> <PRE><CODE>.......| rex max_match=0 field=..... </CODE></PRE> Fri, 17 Apr 2015 13:22:25 GMT stephane_cyrill 2015-04-17T13:22:25Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-two-fields-with-the-same-field-name-from-a/m-p/146745#M40999 <P>Trying to get some data from our alerting/event system into Splunk. There is a report with key value pairs that already existed so I attempted to use that. I am running into an issue with the <CODE>Journal</CODE> field, which can occur multiple times if the event has been updated frequently. I have an extraction that works for the first one, but no way to get any additional ones if they occur.</P> <P>Here is a sample of the data:</P> <PRE><CODE>SevReq=0 Ticket=NoTicket Type=1 DataCenter=dc1 State=Closed Journal=2015/04/09 21:39:15 Alert acknowledged by user1. Journal=2015/04/09 22:47:30 Alert Closed by user2. </CODE></PRE> <P>END<BR /> Here is my extraction that works for the first line:</P> <P>Journal=(?P.*)</P> Fri, 17 Apr 2015 12:45:12 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-two-fields-with-the-same-field-name-from-a/m-p/146745#M40999 stevepraz 2015-04-17T12:45:12Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-two-fields-with-the-same-field-name-from-a/m-p/146746#M41000 <P>Hi, If you are using rex command, try this:</P> <PRE><CODE>.......| rex max_match=0 field=..... </CODE></PRE> Fri, 17 Apr 2015 13:22:25 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-two-fields-with-the-same-field-name-from-a/m-p/146746#M41000 stephane_cyrill 2015-04-17T13:22:25Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-two-fields-with-the-same-field-name-from-a/m-p/146747#M41001 <P>You can set <CODE>max_match = 0</CODE> to retrieve more than one match of your capture group: <A href="http://docs.splunk.com/Documentation/Splunk/6.2.2/SearchReference/Rex">rex reference</A></P> Fri, 17 Apr 2015 13:31:46 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-two-fields-with-the-same-field-name-from-a/m-p/146747#M41001 jeffland 2015-04-17T13:31:46Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-two-fields-with-the-same-field-name-from-a/m-p/146748#M41002 <P>Ah, stephane_cyrille was faster <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Fri, 17 Apr 2015 13:32:07 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-two-fields-with-the-same-field-name-from-a/m-p/146748#M41002 jeffland 2015-04-17T13:32:07Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-two-fields-with-the-same-field-name-from-a/m-p/146749#M41003 <P>You can just vote when your agree. I like your speed jeffland......</P> Fri, 17 Apr 2015 14:47:58 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-two-fields-with-the-same-field-name-from-a/m-p/146749#M41003 stephane_cyrill 2015-04-17T14:47:58Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-two-fields-with-the-same-field-name-from-a/m-p/146750#M41004 <P>I know... You simply posted while I was writing my answer (which took some time as I got a little sidetracked trying stuff on regex101.com) <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Fri, 17 Apr 2015 15:11:11 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-two-fields-with-the-same-field-name-from-a/m-p/146750#M41004 jeffland 2015-04-17T15:11:11Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-two-fields-with-the-same-field-name-from-a/m-p/146751#M41005 <P>how do you get this to work with field extractions though?</P> Tue, 10 Oct 2017 19:24:18 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-two-fields-with-the-same-field-name-from-a/m-p/146751#M41005 gwilliams1_2 2017-10-10T19:24:18Z