Hi I did't get why you cannot use that rex which is working? In personally I always prefer to use my own rex than those which are created by field extractor. It's splunk's design decision that if there are multiple matches then those are put in mv fields. You can always expand those into individual events if mv fields are not suitable for your use case. | makeresults
| eval _raw = "orci eget eros faucibus tincidunt. Duis leo. Sed fringilla mauris sit amet nibh. Donec sodales sagittis magna. Sed consequat, leo eget bibendum sodales, augue velit cursus nunc, {'NotSecrets!!.txt': 'fileHash': 'a3b9adaee5b83973e8789edd7b04b95f25412c764c8ff29d0c63abf25b772646'}, {}}, 'Secrets!!.txt': 'fileHash': 'c092a4db704b9c6f61d6a221b8f0ea5f719e7f674f66fede01a522563687d24b'}, {}}} orci eget eros faucibus tincidunt. Duis leo. Sed fringilla mauris sit amet nibh. Donec sodales sagittis magna. Sed consequat, leo eget bibendum sodales, augue velit cursus nunc,"
| rex max_match=0 "(?:'(?<attachments>.*?)'.*?'fileHash': '(?<sha256>\w+)'}.*?\{.*?\}\}[,\}]\s?)"
| eval foo = mvzip(attachments,sha256,";-;")
| mvexpand foo
| eval foo=split(foo,";-;")
| eval attachments=mvindex(foo,0)
| eval sha256=mvindex(foo,1)
| table attachments sha256 r. Ismo
... View more