https://community.splunk.com/t5/Splunk-Search/How-to-extract-keywords-and-associated-values-with-rex-from-raw/m-p/147149#M41132 <P>Thank you.. I tried, its just reading all SSN keyword(considering false positive) not extracting the values and listing out.</P> Thu, 19 Feb 2015 19:02:35 GMT satya2p 2015-02-19T19:02:35Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-keywords-and-associated-values-with-rex-from-raw/m-p/147147#M41130 <P>I have a request input output logged by various sourcetypes in XML and other similar below format. I tried multiple options to extract exact keywords and associated values to display in a table, but I have been unable to do so. Please help.</P> <P>Sample Data:</P> <PRE><CODE>Somecontent.ssn=XXXXXXXXX.Somecontent.SomeOthercontent in XML: &lt;SSN&gt; XXXXXXXXX &lt;/SSN&gt; </CODE></PRE> <P>Options Tried:</P> <PRE><CODE>| rex field=_raw "SSN=(?P\d\d\d-?\d\d-?\d\d\d\d)" | stats count by SSN | rex field=_raw=\W+SSN "(?\w+)" | stats count by SSN | rex field=_raw "SSN\=(?\d{9})+"| stats count by SSN </CODE></PRE> Thu, 19 Feb 2015 16:28:39 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-keywords-and-associated-values-with-rex-from-raw/m-p/147147#M41130 satya2p 2015-02-19T16:28:39Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-keywords-and-associated-values-with-rex-from-raw/m-p/147148#M41131 <P>Your rex commands are not extracting fields. Therefore, there is nothing for downstream commands to work with. Try this:</P> <PRE><CODE>... | rex "SSN\&gt;\s*(?P&lt;SSN&gt;\d{9})" | stats count by SSN </CODE></PRE> <P>The first "SSN" is an eyecatcher to help rex find the right data in your XML. The second "SSN" is a field name which can be used by the stats command.</P> Thu, 19 Feb 2015 18:29:46 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-keywords-and-associated-values-with-rex-from-raw/m-p/147148#M41131 richgalloway 2015-02-19T18:29:46Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-keywords-and-associated-values-with-rex-from-raw/m-p/147149#M41132 <P>Thank you.. I tried, its just reading all SSN keyword(considering false positive) not extracting the values and listing out.</P> Thu, 19 Feb 2015 19:02:35 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-keywords-and-associated-values-with-rex-from-raw/m-p/147149#M41132 satya2p 2015-02-19T19:02:35Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-keywords-and-associated-values-with-rex-from-raw/m-p/147150#M41133 <P>Let's try something simpler. This should display all the SSN values found.</P> <PRE><CODE>... | rex "SSN\&gt;\s*(?P&lt;SSN&gt;\d{9})" | table SSN </CODE></PRE> Thu, 19 Feb 2015 19:14:06 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-keywords-and-associated-values-with-rex-from-raw/m-p/147150#M41133 richgalloway 2015-02-19T19:14:06Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-keywords-and-associated-values-with-rex-from-raw/m-p/147151#M41134 <P>I tried this option earlier, table getting generated for each event logged by keyword but data is not populating. seems its unable to extract values. I am using splunk 5.0.9, is xml filed extraction is available in this release. </P> Thu, 19 Feb 2015 19:20:52 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-keywords-and-associated-values-with-rex-from-raw/m-p/147151#M41134 satya2p 2015-02-19T19:20:52Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-keywords-and-associated-values-with-rex-from-raw/m-p/147152#M41135 <P>Yes, field extraction using the rex command is the same in version 5. Is the sample data in your OP accurate? Regex strings can be very sensitive to differences in white space, case, etc.</P> Thu, 19 Feb 2015 19:23:52 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-keywords-and-associated-values-with-rex-from-raw/m-p/147152#M41135 richgalloway 2015-02-19T19:23:52Z