Hello all,

I am trying to extract a field from the below event and the extraction is working fine on events that is coming with the value for the field. However, in the events that are coming in empty values it is picking the next matching value. How to fix it so it only picks the required value and ignore the empty field.

Expression used:

(?:[^,]+,){23}\"(?<occurance>\w+)\",.*

Below highlighted is the event that is extracting correct:

50271232,00004102,00000000,1600,"20210901225500","20210901225500",4,-1,-1,"SYSTEM","","System",46769357,"System","Server-I \x83W\x83\x87\x83u\x83l\x83b\x83g(AJSROOT1:/\x90V\x8A_\x96{\x94ԏ\x88\x97\x9D/\x92l\x8ED\x94\xAD\x8Ds/04_\x92l\x8ED\x8Ew\x8E\xA6\x83f\x81[\x83^\x98A\x8Cg_\x8CߑO1TAX:@5V689)\x82\xF0\x8AJ\x8En\x82\xB5\x82܂\xB7","Information","admin","/App/Sys/AJS2","JOBNET","AJSROOT1:/\x90V\x8A_\x96{\x94ԏ\x88\x97\x9D/\x92l\x8ED\x94\xAD\x8Ds/04_\x92l\x8ED\x8Ew\x8E\xA6\x83f\x81[\x83^\x98A\x8Cg_\x8CߑO1TAX","JOBNET","AJSROOT1:/\x90V\x8A_\x96{\x94ԏ\x88\x97\x9D/\x92l\x8ED\x94\xAD\x8Ds/04_\x92l\x8ED\x8Ew\x8E\xA6\x83f\x81[\x83^\x98A\x8Cg_\x8CߑO1TAX","AJSROOT1:/\x90V\x8A_\x96{\x94ԏ\x88\x97\x9D/\x92l\x8ED\x94\xAD\x8Ds/04_\x92l\x8ED\x8Ew\x8E\xA6\x83f\x81[\x83^\x98A\x8Cg_\x8CߑO1TAX","START","20210901225500","","",11,"A0","AJSROOT1:/\x90V\x8A_\x96{\x94ԏ\x88\x97\x9D/\x92l\x8ED\x94\xAD\x8Ds","A1","04_\x92l\x8ED\x8Ew\x8E\xA6\x83f\x81[\x83^\x98A\x8Cg_\x8CߑO1TAX","A3"

The below event does not have the value in the field and the next matching field is picked from below.

50266209,00000501,00000000,3476,"20210901220311","20210901220311",4,-1,-1,"SYSTEM","","psd005",142331,"MS932","OR01201S [psd005:HONDB1] YSN1 free 4.52% \x82\xAA\x82\xB5\x82\xAB\x82\xA2\x92l5%\x82\xF0\x89\xBA\x89\xF1\x82\xE8\x82܂\xB5\x82\xBD (Free size = 1466560KB) [Jp1 Notified]","Alert","","/insight/PI","","","","","","","","","",9,"ACTION_VERSION","510","OPT_CATEGORY","OS","OPT_PARM1","","OPT_PARM2","","OPT_PARM3","","OPT_PARM4","","OPT_SID","HONDB1","OPT_URL1","","OPT_URL2","",

Please help in this.