https://community.splunk.com/t5/Splunk-Search/How-to-write-regex-to-extract-all-values-for-a-field-at-search/m-p/186582#M53730 <P>Hello Guys,</P> <P>I have the following log, and i need to extract all the TagID. I have wrote this regular expression but it only extract the first TagID </P> <BLOCKQUOTE> <P>| rex "(?i)(TagID){(?P<TAGID>\w+)}" </TAGID></P> </BLOCKQUOTE> <P>Tue Aug 19 2014 04:47:18,515 EDT DEBUG wmservice.business.mobilehospital - [saveDeviceRead2 - HM10042 - roy.imad] Method invoked with parameters : [username]{roy.imad}[deviceId]{HM10042}[macAddress]{XXXX-xxxxx-xxxxx-xxxxxx-xxx}[readPacket]{(TagID){E0040100206E6349}|(TagID){E0040100206E7BA7}|(TagID){E0040100206E7917}|(TagID){E0040100206E7BF7}|(TagID){E0040100206E7BAF}|(TagID){E0040100206E7967}|(TagID){E0040100206E64A1}|(TagID){E0040100206E90F4}|(TagID){E0040100206E64A9}|(TagID){E0040100206E796F}|(TagID){E0040100206E791F}|(TagID){E0040100206E90FC}}[readMode]{A}[updateEventInfo]{(Disposition){}(RGA){}(PO){}(SO){}(DetailDisposition){}(EncounterID){null}(DestinationID){}(ReturnID){null}(DispositionFlag){false}(RGAFlag){false}(POFlag){false}(SOFlag){false}(DetailDispositionFlag){false}(EncounterIDFlag){false}(DestinationIDFlag){false}(ReturnIDFlag){false}}[createAudit]{true}[auditInfo]{(EndpointID){RU00014GN1}(Signature){}(ImageSignature){null}(SignerName){null}(Comment){}}</P> Tue, 19 Aug 2014 11:10:59 GMT royimad 2014-08-19T11:10:59Z https://community.splunk.com/t5/Splunk-Search/How-to-write-regex-to-extract-all-values-for-a-field-at-search/m-p/186582#M53730 <P>Hello Guys,</P> <P>I have the following log, and i need to extract all the TagID. I have wrote this regular expression but it only extract the first TagID </P> <BLOCKQUOTE> <P>| rex "(?i)(TagID){(?P<TAGID>\w+)}" </TAGID></P> </BLOCKQUOTE> <P>Tue Aug 19 2014 04:47:18,515 EDT DEBUG wmservice.business.mobilehospital - [saveDeviceRead2 - HM10042 - roy.imad] Method invoked with parameters : [username]{roy.imad}[deviceId]{HM10042}[macAddress]{XXXX-xxxxx-xxxxx-xxxxxx-xxx}[readPacket]{(TagID){E0040100206E6349}|(TagID){E0040100206E7BA7}|(TagID){E0040100206E7917}|(TagID){E0040100206E7BF7}|(TagID){E0040100206E7BAF}|(TagID){E0040100206E7967}|(TagID){E0040100206E64A1}|(TagID){E0040100206E90F4}|(TagID){E0040100206E64A9}|(TagID){E0040100206E796F}|(TagID){E0040100206E791F}|(TagID){E0040100206E90FC}}[readMode]{A}[updateEventInfo]{(Disposition){}(RGA){}(PO){}(SO){}(DetailDisposition){}(EncounterID){null}(DestinationID){}(ReturnID){null}(DispositionFlag){false}(RGAFlag){false}(POFlag){false}(SOFlag){false}(DetailDispositionFlag){false}(EncounterIDFlag){false}(DestinationIDFlag){false}(ReturnIDFlag){false}}[createAudit]{true}[auditInfo]{(EndpointID){RU00014GN1}(Signature){}(ImageSignature){null}(SignerName){null}(Comment){}}</P> Tue, 19 Aug 2014 11:10:59 GMT https://community.splunk.com/t5/Splunk-Search/How-to-write-regex-to-extract-all-values-for-a-field-at-search/m-p/186582#M53730 royimad 2014-08-19T11:10:59Z https://community.splunk.com/t5/Splunk-Search/How-to-write-regex-to-extract-all-values-for-a-field-at-search/m-p/186583#M53731 <P>Hi royimad,</P> <P>try something like this:</P> <PRE><CODE> | rex "\(TagID\)\{(?&lt;tagid&gt;\w+)\}" </CODE></PRE> <P>tested and working on <A href="http://regexr.com/v1/"><CODE></CODE></A><A href="http://regexr.com/v1/" target="test_blank">http://regexr.com/v1/</A> with your provided event example...</P> <P>cheers, MuS</P> Tue, 19 Aug 2014 11:37:04 GMT https://community.splunk.com/t5/Splunk-Search/How-to-write-regex-to-extract-all-values-for-a-field-at-search/m-p/186583#M53731 MuS 2014-08-19T11:37:04Z https://community.splunk.com/t5/Splunk-Search/How-to-write-regex-to-extract-all-values-for-a-field-at-search/m-p/186584#M53732 <P>if i want only to count the number of occurrence of the word TagID without selecting the values how can i do that</P> Tue, 19 Aug 2014 11:45:26 GMT https://community.splunk.com/t5/Splunk-Search/How-to-write-regex-to-extract-all-values-for-a-field-at-search/m-p/186584#M53732 royimad 2014-08-19T11:45:26Z https://community.splunk.com/t5/Splunk-Search/How-to-write-regex-to-extract-all-values-for-a-field-at-search/m-p/186585#M53733 <P>I just want to count the number of occurrence of the word TagID, is that feasible ?</P> Tue, 19 Aug 2014 11:46:52 GMT https://community.splunk.com/t5/Splunk-Search/How-to-write-regex-to-extract-all-values-for-a-field-at-search/m-p/186585#M53733 royimad 2014-08-19T11:46:52Z https://community.splunk.com/t5/Splunk-Search/How-to-write-regex-to-extract-all-values-for-a-field-at-search/m-p/186586#M53734 <P>working on that in your other question <span class="lia-unicode-emoji" title=":winking_face:">😉</span> ....</P> Tue, 19 Aug 2014 11:49:19 GMT https://community.splunk.com/t5/Splunk-Search/How-to-write-regex-to-extract-all-values-for-a-field-at-search/m-p/186586#M53734 MuS 2014-08-19T11:49:19Z