How to pull multiple fields from one field in Splu... - Splunk Community

Splunk Search

Example field value in "Field1"

Test1: Successful Test2: 200 Type: Http; Auth: ** URL: abc.com..... IP--Address: xx.xxx.xx.xx Name: xxxxx Path Location: /hdkdsd-/hkk/gdjshd Level: abc User: xxx Site: vjsdjsd

Below query not returning any value:

index=xxx

| rex field=Field1 "Test2\:\s+(?<A1>\d+)\s+"

| rex field=Field1 "URL\:\s+(?<A2>\w+)\s+"

| rex field=Field1 "User\:\s+(?<A3>\w+)\s+"

| table A1, A2, A3

please try this:

| rex field=Field1 "Test2:\s*(?<A1>\d+).*URL:\s*(?<A2>[^ ]*).*User:\s*(?<A3>[^ ]*)"

that you can test at https://regex101.com/r/kj44MB/1

if the events could change, you can put the three regex extractions in three different rex commands.

| rex field=Field1 "Test2:\s*(?<A1>\d+)
| rex field=Field1 "URL:\s*(?<A2>[^ ]*)
| rex field=Field1 "User:\s*(?<A3>[^ ]*)"

Ciao.

Giuseppe

Get Updates on the Splunk Community!

App Platform's 2025 Year in Review: A Year of Innovation, Growth, and Community

As we step into 2026, it’s the perfect moment to reflect on what an extraordinary year 2025 was for the Splunk ...

Operationalizing Entity Risk Score with Enterprise Security 8.3+

Overview Enterprise Security 8.3 introduces a powerful new feature called “Entity Risk Scoring” (ERS) for ...

Unlock Database Monitoring with Splunk Observability Cloud

In today’s fast-paced digital landscape, even minor database slowdowns can disrupt user experiences and ...