I'm not good with regular expressions yet but here's how I would do it: let's say your field is called 'revenue' and it's exactly the string you posted. Revenue 374256 318747 271437 271957 | REX field="revenue" "Revenue (? .*)" | eval rev=split(rev," ") | table revenue,rev the REX command creates a field called 'rev' which simply remvoves the string "Revenue" from your original value The SPLIT function creates a multivalue field by breaking the value 'rev' on each space in the string If you wanted to break your values into separate events you could add: <your_search> | REX field="revenue" "Revenue (?<rev>.*)" | eval rev=split(rev," ") | mvexpand rev | table revenue,rev I admit I am still developing my understanding of regular expressions. You will likely find a way to use the single REX command along with REX's max_match="0" attribute to create a multivalue field from the REX generated value. ... View more

Thanks! 🙂 ... View more

I'd recommend testing your field extractions using the rex command in a search before adding them to the extractions page. Just enter your search terms, followed by | rex "your regular expression field extraction". I usually also follow it with | stats values myFieldName just to make sure I pick up only the values I wanted and don't have to adjust my regex. So for instance, if I were extracting browser from a log, I might use the following search to test my field extraction: your search terms | rex "userAgent=(?<browser>[^(]+)" | stats values browser ... View more

It worked! Thanks a million 🙂 ... View more