https://community.splunk.com/t5/Splunk-Search/How-to-write-regex-or-MV-command-to-extract-multiple-values/m-p/159563#M45040 <P>If that is how your raw data looks like you probably want to use the extract command.</P> <PRE><CODE>... | extract pairdelim=",", kvdelim="=" mv_add=true </CODE></PRE> <P><A href="http://docs.splunk.com/Documentation/Splunk/6.2.4/SearchReference/Extract">http://docs.splunk.com/Documentation/Splunk/6.2.4/SearchReference/Extract</A></P> Mon, 03 Aug 2015 17:24:15 GMT bmacias84 2015-08-03T17:24:15Z https://community.splunk.com/t5/Splunk-Search/How-to-write-regex-or-MV-command-to-extract-multiple-values/m-p/159562#M45039 <P>Hi,</P> <P>I have a list of Locate ID's (below) that are contained within a single event in Splunk. I am trying to create regex to pull the values out and list all of them into 1 specified field. The problem is that the numbers vary(locateIds_4, locateIds_7, etc..)</P> <PRE><CODE>locateIds_0=135cc17a-44ce-4318-abce-e1ffc8652c91, locateIds_4=c296725b-1cca-495d-87cf-962fc6c7a0a0, locateIds_3=874d96b2-eee0-4e85-800b-4b6003a0fed5, locateIds_2=4c5e3c30-d43d-49c1-bbcd-77264221393f, locateIds_1=a60587d4-e709-468f-a85d-d6c4389e83f8, locateIds_6=a6676901-37c8-4a05-ac79-765ebccaadef, locateIds_5=4446b0ca-0c1e-4ea5-b474-375235e10a6f </CODE></PRE> <P>The regex I have is: <CODE>rex field=_raw "(?i) .*?: \{(?P&amp;lt;FIELDNAME3&amp;gt;[[a-z]+_[0-100]])"</CODE></P> <P>I cannot seem to capture the right way to extract ONLY the located ID even if the number(s) change. Also, would the mv command be useful as well? I have not used it before so any feedback is greatly appreciated!</P> Tue, 29 Sep 2020 06:54:48 GMT https://community.splunk.com/t5/Splunk-Search/How-to-write-regex-or-MV-command-to-extract-multiple-values/m-p/159562#M45039 pmcfadden91 2020-09-29T06:54:48Z https://community.splunk.com/t5/Splunk-Search/How-to-write-regex-or-MV-command-to-extract-multiple-values/m-p/159563#M45040 <P>If that is how your raw data looks like you probably want to use the extract command.</P> <PRE><CODE>... | extract pairdelim=",", kvdelim="=" mv_add=true </CODE></PRE> <P><A href="http://docs.splunk.com/Documentation/Splunk/6.2.4/SearchReference/Extract">http://docs.splunk.com/Documentation/Splunk/6.2.4/SearchReference/Extract</A></P> Mon, 03 Aug 2015 17:24:15 GMT https://community.splunk.com/t5/Splunk-Search/How-to-write-regex-or-MV-command-to-extract-multiple-values/m-p/159563#M45040 bmacias84 2015-08-03T17:24:15Z https://community.splunk.com/t5/Splunk-Search/How-to-write-regex-or-MV-command-to-extract-multiple-values/m-p/159564#M45041 <P>Here's how you'd do it with a regex:</P> <PRE><CODE>| rex field=_raw max_match=100 "(?:locateIds_\d{1,2}=)(?&lt;fieldName&gt;[^,\s]*)" </CODE></PRE> Mon, 03 Aug 2015 18:25:29 GMT https://community.splunk.com/t5/Splunk-Search/How-to-write-regex-or-MV-command-to-extract-multiple-values/m-p/159564#M45041 hogan24 2015-08-03T18:25:29Z https://community.splunk.com/t5/Splunk-Search/How-to-write-regex-or-MV-command-to-extract-multiple-values/m-p/159565#M45042 <P>This will not work. Since the attribute name is different for each pair, the extract will not combine all localeIDs into 1.</P> Mon, 03 Aug 2015 19:06:20 GMT https://community.splunk.com/t5/Splunk-Search/How-to-write-regex-or-MV-command-to-extract-multiple-values/m-p/159565#M45042 somesoni2 2015-08-03T19:06:20Z https://community.splunk.com/t5/Splunk-Search/How-to-write-regex-or-MV-command-to-extract-multiple-values/m-p/159566#M45043 <P>Thanks! I was just reading up on the possibilities of regex with setting a match when I saw this.</P> Mon, 03 Aug 2015 19:17:57 GMT https://community.splunk.com/t5/Splunk-Search/How-to-write-regex-or-MV-command-to-extract-multiple-values/m-p/159566#M45043 pmcfadden91 2015-08-03T19:17:57Z