https://community.splunk.com/t5/Splunk-Search/How-do-I-extract-fields-from-my-sample-log-using-regex/m-p/224722#M66208 <P>Don't know if you can do it with a regex, but what you can do is capture everything from the first "Step=" to the next field value, and then use <CODE>makemv</CODE> with <CODE>delim=" , Step="</CODE></P> <P>Regex would look like this:</P> <PRE><CODE>... | rex "Step=(?P&lt;steps&gt;.+) ,&lt;following field&gt;" </CODE></PRE> <P>or if there are no fields after the "step" fields:</P> <PRE><CODE>... | rex "Step=(?P&lt;steps&gt;.+) , $" </CODE></PRE> <P>Then use makemv to convert the single string into a list of values:</P> <PRE><CODE>... | makemv delim=" , Step=" steps </CODE></PRE> <P>This should result in something like this:</P> <PRE><CODE>Field1 Field2 steps A B 11001 11018 12302 ... 15016 </CODE></PRE> <P>Hope this helps</P> Wed, 11 Nov 2015 14:22:33 GMT aholzer 2015-11-11T14:22:33Z https://community.splunk.com/t5/Splunk-Search/How-do-I-extract-fields-from-my-sample-log-using-regex/m-p/224721#M66207 <P>I got a log containing "Step" values in order:</P> <P>Step=11001 , Step=11018 , Step=12302 , Step=12319 , Step=12800 , Step=12805 , Step=12806 , Step=12801 , Step=12802 , Step=12305 , Step=11006 , Step=11001 , Step=11018 , Step=12304 , Step=12319 , Step=12804 , Step=12816 , Step=12311 , Step=15041 , Step=15004 , Step=15013 , Step=24432 , Step=24416 , Step=22037 , Step=15044 , Step=12312 , Step=12305 , Step=11006 , Step=11001 , Step=11018 , Step=12304 , Step=12306 , Step=11503 , Step=24703 , Step=24702 , Step=15035 , Step=15042 , Step=15036 , Step=15004 , Step=15016 , </P> <P>How can I extract fields from this? End result should be that each Step has its own field (Step1, Step2) and so on</P> Wed, 11 Nov 2015 14:04:24 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-extract-fields-from-my-sample-log-using-regex/m-p/224721#M66207 bravon 2015-11-11T14:04:24Z https://community.splunk.com/t5/Splunk-Search/How-do-I-extract-fields-from-my-sample-log-using-regex/m-p/224722#M66208 <P>Don't know if you can do it with a regex, but what you can do is capture everything from the first "Step=" to the next field value, and then use <CODE>makemv</CODE> with <CODE>delim=" , Step="</CODE></P> <P>Regex would look like this:</P> <PRE><CODE>... | rex "Step=(?P&lt;steps&gt;.+) ,&lt;following field&gt;" </CODE></PRE> <P>or if there are no fields after the "step" fields:</P> <PRE><CODE>... | rex "Step=(?P&lt;steps&gt;.+) , $" </CODE></PRE> <P>Then use makemv to convert the single string into a list of values:</P> <PRE><CODE>... | makemv delim=" , Step=" steps </CODE></PRE> <P>This should result in something like this:</P> <PRE><CODE>Field1 Field2 steps A B 11001 11018 12302 ... 15016 </CODE></PRE> <P>Hope this helps</P> Wed, 11 Nov 2015 14:22:33 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-extract-fields-from-my-sample-log-using-regex/m-p/224722#M66208 aholzer 2015-11-11T14:22:33Z https://community.splunk.com/t5/Splunk-Search/How-do-I-extract-fields-from-my-sample-log-using-regex/m-p/224723#M66209 <P>Thanks for the input - it got us on the right track:)</P> Thu, 12 Nov 2015 15:23:33 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-extract-fields-from-my-sample-log-using-regex/m-p/224723#M66209 bravon 2015-11-12T15:23:33Z https://community.splunk.com/t5/Splunk-Search/How-do-I-extract-fields-from-my-sample-log-using-regex/m-p/224724#M66210 <PRE><CODE>| rex max_match=0 "Step=(?&lt;a_Step&gt;([0-9]{5}))" </CODE></PRE> <P>This puts all the "Step" values in one field called "a_Step"<BR /> Next task is to lookup the a_Step-values in a .cvs-file and properly present the info to a user</P> <PRE><CODE>| lookup my_csv_lookup "Message Code" AS a_Step OUTPUT Category </CODE></PRE> <P>When using the search app and applying the rex+lookup the "Category" field now lists the Category for each Step in the right order.<BR /> Next task at hand is to figure out how to best present this to the users accessing the data</P> Tue, 29 Sep 2020 07:55:01 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-extract-fields-from-my-sample-log-using-regex/m-p/224724#M66210 bravon 2020-09-29T07:55:01Z