Thanks a lot -:). Will try.

Hi ,

Thanks for your response, below is the sample for the multiple effectrate and sometimes it will be repeated 2 or 3 times and sometimes it will be only once.

"TestResponse":null,"AABBCCDDDEEDDDoProcess":
&&&&&&&&&&&,"effectrate":"1.0",Test""TESTPRocess_ID":*****,"effectiveDate":null,"expirationDate":null,"externalJurisdictionCode":null},"accumulate":null,"calculated":3.31,"effectrate":0.06625,"Rate":null,"basis":null,"exempt":null,"nonTaxable":null

Hi @sen8sen,

if you want to extract the values after effectrate in the field called "response", you could use this regex:

| rex field=response "\"effectrate\":(\"|\s*)(?<effectrate>[^\",]+)"

that you can test at https://regex101.com/r/JBgVAA/1

if instead you want in the field also the word effectrate, you could use this regex:

| rex field=response "\"(?<effectrate>effectrate\":(\"|\s*)[^\",]+)"

Ciao.

Giuseppe

Hi Thanks for your response. But it didnt help. Not sure, if I have explained earlier clearly. I have a field called Response which contains response in the below format.

{"responseDateTime":1594937190449,"status":"SUCCESS",{"value":"********","jurisdictionLevel":"******","jurisdictionId":******,"effectiveDate":null,"expirationDate":null,"externalJurisdictionCode":null},"Jurisdiction":null,"Tax":0.0,"effectRate":3.0,"taxApportionmentRate":null,"basisReductionPercentage":null,"exempt":null,"nonTaxable":null,"taxable":{"value":0.0,"unitOfMeasure":null},"reportingBasis":null,"imposition":{"value":"Sales and Use Tax","userDefined":null,"impositionId":1},"impositionType":{"value":"General Sales and Use","errorMessages":"null"}

From the above I just wanted to show "effectRate":3.0 alone in the field Response, I don't want to show the other things. and sometimes in this Response there will be many effectRate.

You are posting different data each time you post - in the last example your word was 

effectRate - not effectrate as in previous examples.

The following search will work based on your latest example

|  makeresults
|  eval Response="{\"responseDateTime\":1594937190449,\"status\":\"SUCCESS\",{\"value\":\"********\",\"jurisdictionLevel\":\"******\",\"jurisdictionId\":******,\"effectiveDate\":null,\"expirationDate\":null,\"externalJurisdictionCode\":null},\"Jurisdiction\":null,\"Tax\":0.0,\"effectRate\":3.0,\"taxApportionmentRate\":null,\"basisReductionPercentage\":null,\"exempt\":null,\"nonTaxable\":null,\"taxable\":{\"value\":0.0,\"unitOfMeasure\":null},\"reportingBasis\":null,\"imposition\":{\"value\":\"Sales and Use Tax\",\"userDefined\":null,\"impositionId\":1},\"impositionType\":{\"value\":\"General Sales and Use\",\"errorMessages\":\"null\"}"
| rex field=Response "\"(?<effectrate>effectRate\":(\"|\s+)?[^\",]+)"

 However, the last rex line, which is what you want is looking for an optional presence of quotes or spaces before the number and looking for a quote or comma to end the capture. If this changes, then it won't work. You have shown the number sometimes in quotes and sometimes not, so it's a good idea to ensure your data is consistent.