https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-field-that-appears-several-times-but-with/m-p/181009#M52168 <PRE><CODE>.. | rex field=_raw "\'Via\'\s\'(?&lt;viavalue&gt;.*)\'" </CODE></PRE> <P>viavalue would have the text between the single quote after via</P> Fri, 20 Mar 2015 02:45:56 GMT ramdaspr 2015-03-20T02:45:56Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-field-that-appears-several-times-but-with/m-p/181008#M52167 <P>Hello community,</P> <P>Can you give me a hand with the following case:</P> <P>I have the following log and desire to extract a field that appears several times, but with different values for every event. The log is a sip server.</P> <P>The field to be created is "via" with the respective values in front of each of them.</P> <PRE><CODE>'Via' 'SIP/2.0/UDP 172.20.30.219;rport;branch=z9hG4bK915603406529843-AP;ft=172.20.30.219~13c4' 'Via' 'SIP/2.0/UDP 172.20.30.218:15060;rport=15060;ibmsid=local.1423076844553_14140521_14153316;branch=z9hG4bK915603406529843' 'Via' 'SIP/2.0/UDP 172.20.30.218:15060;rport;ibmsid=local.1423076844553_14140520_14153315;branch=z9hG4bK796372520547692' 'Via' 'SIP/2.0/TLS 172.20.30.219;branch=z9hG4bK0fcbd45fcd1e41df3a54ebe9bc00-AP;ft=33364;received=172.20.30.219;rport=22178' 'Via' 'SIP/2.0/TLS 172.20.30.41;branch=z9hG4bK0fcbd45fcd1e41df3a54ebe9bc00' 'Via' 'SIP/2.0/TCP 172.20.30.33;branch=z9hG4bK0fcbd45fcd1e41df3a54ebe9bc00' </CODE></PRE> <P>and within those same lines is the "branch" field that also has different values.</P> Thu, 19 Mar 2015 22:39:35 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-field-that-appears-several-times-but-with/m-p/181008#M52167 fmaldonado6441 2015-03-19T22:39:35Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-field-that-appears-several-times-but-with/m-p/181009#M52168 <PRE><CODE>.. | rex field=_raw "\'Via\'\s\'(?&lt;viavalue&gt;.*)\'" </CODE></PRE> <P>viavalue would have the text between the single quote after via</P> Fri, 20 Mar 2015 02:45:56 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-field-that-appears-several-times-but-with/m-p/181009#M52168 ramdaspr 2015-03-20T02:45:56Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-field-that-appears-several-times-but-with/m-p/181010#M52169 <P>Hi <BR /> You can use this search</P> <PRE><CODE> .... | rex field=_raw "\'Via\'\s\'(?&lt;value&gt;.*)\'" | table value | rename value as via </CODE></PRE> <P>Tell me if it satisfy you please</P> Fri, 20 Mar 2015 10:20:35 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-field-that-appears-several-times-but-with/m-p/181010#M52169 chimell 2015-03-20T10:20:35Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-field-that-appears-several-times-but-with/m-p/181011#M52170 <P>Thanks for your support, but it is not exactly what I'm looking for, is that a single event can have multiple lines with informacińo of "via" so the rex suggesting I only extracts the first match, what I want to achieve is to extract the value of the "via" field displays how many times per event.</P> Fri, 20 Mar 2015 14:30:37 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-field-that-appears-several-times-but-with/m-p/181011#M52170 fmaldonado6441 2015-03-20T14:30:37Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-field-that-appears-several-times-but-with/m-p/181012#M52171 <P>Thanks for your support, but it is not exactly what I'm looking for, is that a single event can have multiple lines with informacińo of "via" so the rex suggesting I only extracts the first match, what I want to achieve is to extract the value of the "via" field displays how many times per event.</P> Fri, 20 Mar 2015 14:30:43 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-field-that-appears-several-times-but-with/m-p/181012#M52171 fmaldonado6441 2015-03-20T14:30:43Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-field-that-appears-several-times-but-with/m-p/181013#M52172 <P>Means the sample data you gave bellow is a single event? if not, can you give a sample data, where we can see an event with several values of <STRONG>val</STRONG>?</P> Mon, 30 Mar 2015 08:52:45 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-field-that-appears-several-times-but-with/m-p/181013#M52172 stephanefotso 2015-03-30T08:52:45Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-field-that-appears-several-times-but-with/m-p/181014#M52173 <P>That's right, what values are in the post are from a single event.</P> Mon, 30 Mar 2015 13:32:43 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-field-that-appears-several-times-but-with/m-p/181014#M52173 fmaldonado6441 2015-03-30T13:32:43Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-field-that-appears-several-times-but-with/m-p/181015#M52174 <P>Hi,</P> <P>The solution to my problem was given by adding the parameter "MV_ADD = 1" in the transforms.conf file, basically this parameter allowing to make is that extraction will not stop when it finds a match.</P> <P>props.conf</P> <PRE><CODE>[sip] BREAK_ONLY_BEFORE = ^@ NO_BINARY_CHECK = true disabled = false REPORT-via-extract = via-extract </CODE></PRE> <P>transforms.conf</P> <PRE><CODE>[via-extract] CLEAN_KEYS = 0 MV_ADD = 1 REGEX = 'Via'\s+'(?&lt;sip_via&gt;[^\']+) </CODE></PRE> <P>Thank you all for your contributions.</P> Mon, 30 Mar 2015 13:38:30 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-field-that-appears-several-times-but-with/m-p/181015#M52174 fmaldonado6441 2015-03-30T13:38:30Z