req_event_id field has values like:
PL-ADMIN-11004.30A5748A69B1:AEECB6513
PL-ADMIN-11004.30A5748A69B1:AEEC909E6
PL-ADMIN-11004.30A5748A69B1:AEEC909DF
PL-ADMIN-11004.30A5748A69B1:AEECD256F
PL-ADMIN-11004.30A5748A69B1:AEECD2576
PL-ADMIN-11004.30A5748A69B1:AEECB651A
1) I need to extract the first two values as req_event_id_1 and req_event_id_2.
2) if req_event_id has a null value, it should display log_missing and
3) if the req_event_id has only one value, then the req_event_id_2 should display unspecified.
Try this
.... | rex field=req_event_id "(?[^\:]+):(?.*)" | fillnull req_event_id_1 value="log_missing" | fillnull req_event_id_2 value="unspecified"
I have assumed that event id 1 is everything before the :
1) I'd expect the 7 digits after the : are part of the information to be captured, so I'd break on the blank (or end-of-field) after that. Basically, I'd pull everything until either a space or the end of the field.
2) I'm not sure where you're designating the name of the fields being extracted by the rex. The syntax I'd expect would look like this (surround bolded terms with angle brackets as appropriate) -
| rex field=req_event_id "^(?req_event_id1[^ $]+) (?req_event_id2[^ $]+)\b"
| fillnull req_event_id_1 value="log_missing"
| fillnull req_event_id_2 value="unspecified"
3) I also doubt that would work if there was only one value; since the second part of the regular expression wouldn't be matched, the first wouldn't get a value. So, you'd need to use max_match=2 and set up the regular expression to match each req_event_id, like so (surround bolded terms with angle brackets as appropriate) -
| rex field=req_event_id max_match=2 "(?RIDs[^ $]+)"
| eval req_event_id_1 = coalesce(mvindex(RIDs,0),"log_missing" )
| eval req_event_id_2 = coalesce(mvindex(RIDs,1),"unspecified")
I see what's happening - apparently the greater-and-lesser-signs are being stripped out of the comments, so the field name in the regex is disappearing.
After each (? spot in my comment should be the extract field name, wrapped by greater/lesser signs. in the first example, the field names are req_event_id1 and req_event_id2, in the second example, the field name is RIDs.