Finally- the above one should work..for some reason 'hard' and 'hostname' got missed out even after applying it within the code blocks, i dunno why !

append max_match=0 ?. Where? In the fieldextraction editor?

refer to the documentation above -
something like
sourcetype=linux_secure port "failed password" | rex "\s+(?port \d+)" max_match=0 | stats
so in this case your extracted field , ports, if there are more than one value for ports ALL of them will be fetched under ports.
You can re-use the field extractor regex if you don;t want to write your own regex , and similarly replace the above rex with the rex generated by the field extractor appended by max_match=0

Ok, I understand what you, but when I use the regex from the editor then I get the message 'unbalanced quotes'
Here is the rex:
^<\?\w+\s+\w+="\d+.\d+"\s+\w+="\w+-\d+"\s+\w+="\w+"\?>\s+<\w+\s+\w+\w+="\w+\w+"\s+\w+="\w+\s+\d+.\d+.\d+-\d+"\s+\w+="\w+.\w+.\w+"\s+\w+="\d+">\s+<\w+\w+\s+\w+\w+="\d+"\s+\w+\w+="\d+"\s+\w+\w+="\d+"\s+\w+_\w+="\d+"\s+\w+="(?P[^*]+)

do we only need to extract active_recip to soft_bounced, ie, the 4-5 fileds as shown in your sample events?

No, I need to extract the values for hard_bounced en for hostname

Try this - <your index>|rex field=_raw "hard_bounced=\"+(?<hard>.*?)\"+" max_match=0 | rex field=_raw "hostname=\"+(?<hostname>.*?)\"+" max_match=0 | table hard,hostname

On second thoughts you might want them in separate row , try this if that is the case| rex field=_raw "hard_bounced=\"+(?.*?)\"+" max_match=0 | rex field=_raw "hostname=\"+(?.*?)\"+" max_match=0 | eval fields = mvzip(hard,hostname)
| mvexpand fields
| rex field=fields "(?\w+),(?\w+)"
| table _time hard hostname

Try both this one and the above..one of this is what you need

Hai @Sukisen1981 , if I use the second one I get the message 'Error in 'rex' command: Encountered the following error while compiling the regex 'hard_bounced="+(?.?)"+': Regex: unrecognized character after (? or (?- '

Hi, the code got corrupted while copying, essentially the second query is the same as the first one till mvzip starts...use this

<your index>|rex field=_raw "hard_bounced=\"+(?<hard>.*?)\"+" max_match=0 | rex field=_raw "hostname=\"+(?<hostname>.*?)\"+" max_match=0 | eval fields = mvzip(hard,hostname) 
| mvexpand fields 
| rex field=fields "(?\w+),(?\w+)" 
| table _time hard hostname

Just try to fit the entire code in a continuous line, if you encounter errors., this will work

sadly, still the same error. Don't see a difference between the codes by the way

Hi - Sorry , I once again copied the same code....i am pasting the correct code now. The difference is in the rex field statement, before \w+ the individual field names have to be mentioned, it is just a minor rex syntax issue.
I apologise once again for pasting the same wrong code twice|rex field=_raw "hard_bounced=\"+(?.*?)\"+" max_match=0 | rex field=_raw "hostname=\"+(?.*?)\"+" max_match=0 | eval fields = mvzip(hard,hostname)
| mvexpand fields
| rex field=fields "(?\w+),(?\w+)"
| table _time hard hostname

i see it again the code is not getting pasted properly again.....look at the below

| rex field=_raw "hard_bounced=\"+(?.?)\"+" max_match=0 | rex field=_raw "hostname=\"+(?.?)\"+" max_match=0 | eval fields = mvzip(hard,hostname)
| mvexpand fields
| rex field=fields "(?\w+),(?\w+)"
| table _time hard hostname