Re: Extract Multiple fields

jayeshrajvir · ‎03-15-2022

Sample data

[A028 : 00]
[F037 : 928323177452]
[F038 : 456137]
[F039 : 0]

The query below is working but i wanted to merge, basically i wanted to use rex field=_raw just once. How to extract multiple fields

index=au_axs_common_log sourcetype=anz_axs_auth_core_log "[A028" |rex field=_raw "(\[F039\s*:(?.*?)\])"| rex field=_raw "\[A028\s*:(?.*?)\]" |stats count by axrc,vrc

jayeshrajvir · ‎03-15-2022

@venky1544 It fetches/matching all the four fields. I wanted to match only two fields. Can you please share your thoughts.

venky1544 · ‎03-15-2022

Hi @jayeshrajvir

PFB screenshot hope this helps

venky1544 · ‎03-15-2022

hi @jayeshrajvir

try this regex \[\w+\s:\s\d+\]

just curious what are you doing with the regex coz there is no named group in the regex ??

is this a tweaked query you pasted here

Extract Multiple fields

rex

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Data Management Digest – May 2026

Join the Conversation