https://community.splunk.com/t5/Splunk-Search/regular-Expression-extration/m-p/290877#M87898 <P>I want to do something like this, referer_domain is the field i want to extract to create a new field. I want to rex the google as one field and bing as another field, Say example google as Test and bing as Test1</P> <P>referer_domain<BR /> <A href="http://www.bing.com">http://www.bing.com</A><BR /> <A href="http://www.buttercupgames.com">http://www.buttercupgames.com</A><BR /> <A href="http://www.google.com">http://www.google.com</A><BR /> <A href="http://www.yahoo.com">http://www.yahoo.com</A><BR /> <A href="https://www.google.com">https://www.google.com</A><BR /> <A href="https://www.bing.com">https://www.bing.com</A></P> <P>I did something like this, which is not working out,</P> <PRE><CODE>index=main sourcetype=access_combined_wcookie | rex field=referer_domain "(?&lt;Test&gt;google)" | rex field=referer_domain "(?&lt;Test1&gt;bing)" | stats count by Test Test1 host </CODE></PRE> <P>I can see single extraction is working fine as expected(the below query), but not the double one. Is it not allowed in splunk or am i missing out any syntax?</P> <PRE><CODE>index=main sourcetype=access_combined_wcookie | rex field=referer_domain "(?&lt;Test&gt;google)" | stats count by Test Test1 host </CODE></PRE> Thu, 06 Jul 2017 05:10:51 GMT Kwip 2017-07-06T05:10:51Z https://community.splunk.com/t5/Splunk-Search/regular-Expression-extration/m-p/290877#M87898 <P>I want to do something like this, referer_domain is the field i want to extract to create a new field. I want to rex the google as one field and bing as another field, Say example google as Test and bing as Test1</P> <P>referer_domain<BR /> <A href="http://www.bing.com">http://www.bing.com</A><BR /> <A href="http://www.buttercupgames.com">http://www.buttercupgames.com</A><BR /> <A href="http://www.google.com">http://www.google.com</A><BR /> <A href="http://www.yahoo.com">http://www.yahoo.com</A><BR /> <A href="https://www.google.com">https://www.google.com</A><BR /> <A href="https://www.bing.com">https://www.bing.com</A></P> <P>I did something like this, which is not working out,</P> <PRE><CODE>index=main sourcetype=access_combined_wcookie | rex field=referer_domain "(?&lt;Test&gt;google)" | rex field=referer_domain "(?&lt;Test1&gt;bing)" | stats count by Test Test1 host </CODE></PRE> <P>I can see single extraction is working fine as expected(the below query), but not the double one. Is it not allowed in splunk or am i missing out any syntax?</P> <PRE><CODE>index=main sourcetype=access_combined_wcookie | rex field=referer_domain "(?&lt;Test&gt;google)" | stats count by Test Test1 host </CODE></PRE> Thu, 06 Jul 2017 05:10:51 GMT https://community.splunk.com/t5/Splunk-Search/regular-Expression-extration/m-p/290877#M87898 Kwip 2017-07-06T05:10:51Z https://community.splunk.com/t5/Splunk-Search/regular-Expression-extration/m-p/290878#M87899 <P>try this <BR /> index=main sourcetype=access_combined_wcookie | rex field=referer_domain "(?&amp;lttest1&amp;gtgoogle)|(?&amp;lttest2&amp;gtbing) | stats count by test1 test2 host</P> Tue, 29 Sep 2020 14:43:27 GMT https://community.splunk.com/t5/Splunk-Search/regular-Expression-extration/m-p/290878#M87899 sbbadri 2020-09-29T14:43:27Z https://community.splunk.com/t5/Splunk-Search/regular-Expression-extration/m-p/290879#M87900 <P>The problem isn't the extraction, its the <CODE>stats</CODE>. <CODE>stats</CODE> will ignore all records that have nulls in any of the <CODE>by</CODE> fields. </P> <P>To make that work, you would have to add a <CODE>fillnull</CODE> command before stats. </P> <PRE><CODE>| fillnull value="" Test Test1 </CODE></PRE> <P>However, this is cleaner...</P> <PRE><CODE> index=main sourcetype=access_combined_wcookie | rex field=referer_domain "(?i)(?&lt;Test&gt;Google|Bing)" | fillnull value="Other" Test | stats count by Test host </CODE></PRE> <HR /> <P>Note - I made the test case-insensitive <CODE>(?i)</CODE> and capitalized the search engine names to make it pretty. Isn't that just <EM>precious</EM>?</P> <P>Edited to mark keywords as code.</P> Thu, 06 Jul 2017 15:42:29 GMT https://community.splunk.com/t5/Splunk-Search/regular-Expression-extration/m-p/290879#M87900 DalJeanis 2017-07-06T15:42:29Z https://community.splunk.com/t5/Splunk-Search/regular-Expression-extration/m-p/290880#M87901 <P>you are always hitting the target with cent percent accuracy @DalJeanis. Below is what my expectation. Thank you.</P> <PRE><CODE>index=main sourcetype=access_combined_wcookie | rex field=referer_domain "(?&lt;Test&gt;google)" | rex field=referer_domain "(?&lt;Test1&gt;bing)" | fillnull value="-" Test Test1 | stats count by Test Test1 host </CODE></PRE> Thu, 06 Jul 2017 17:15:59 GMT https://community.splunk.com/t5/Splunk-Search/regular-Expression-extration/m-p/290880#M87901 Kwip 2017-07-06T17:15:59Z https://community.splunk.com/t5/Splunk-Search/regular-Expression-extration/m-p/290881#M87902 <P>Thank you for valuable comment @sbbadri. below is the one i am looking for,</P> <PRE><CODE>index=main sourcetype=access_combined_wcookie | rex field=referer_domain "(?&lt;Test&gt;google)|(?&lt;Test1&gt;bing)" | fillnull value="-" Test Test1 | stats count by Test Test1 host </CODE></PRE> Thu, 06 Jul 2017 17:19:52 GMT https://community.splunk.com/t5/Splunk-Search/regular-Expression-extration/m-p/290881#M87902 Kwip 2017-07-06T17:19:52Z