Extracting fields from logs using rex
I am trying to extract few fields from an event log using rex command and display the fields in a tabular format.
This is my log:
LOG_LEVEL="INFO" MESSAGE="Type_of_Call = Sample Call LOB = F Date/Time_Stamp = 2022-10-10T21:10:53.900129 Policy_Number = 12-AB-1234-5 Requester_Id = A1231301 Last_Name = SAMPLE State = IL City = Chicago Zip 12345" APPLICATION_VERSION="appVersion_IS_UNDEFINED"
Fields that I want to extract are: Type_of_Call, LOB, Date/Time_Stamp, Policy_Number, Requester_Id, Last_Name, State, City, Zip
This is my splunk rex command:
rex field=_raw "Type_of_Call\s*=\s*(?<Type_Of_Call>\w+)\s+Call\s+LOB\s*=\s*(?<LOB>\w+)\s+Date/Time_Stamp\s*=\s*(?<Date_Time_Stamp>[0-9TZ.:-]+)\s+Policy_Number\s*=\s*(?<Policy_Number>[\w-]+)\s+Requestor_Id\s*=\s*(?<Requestor_Id>\w+)\s+Last_Name\s*=\s*(\w+)\s+State\s*=\s*(?<State>\w+)"
| table msg "Type of Call" "LOB" "Date/Time Stamp" "Policy Number" "Requester Id" "LastName" "State"
The issue that I am having is that Only LOB field and State field come back with values, State field for some reason is adding an escape character and pulling the last "
This is what the results look like: 
Can someone please help
If changing the logs itself could be a fix then i can do that as well
In addition to what @Mads Hansen offered, the slash in "Date/Time_Stamp" must be escaped. Try this regex:
Type_of_Call\s*=\s*(?<Type_Of_Call>\w+)\s+Call\s+LOB\s*=\s*(?<LOB>\w+)\s+Date\/Time_Stamp\s*=\s*(?<Date_Time_Stamp>[0-9TZ.:-]+)\s+Policy_Number\s*=\s*(?<Policy_Number>[\w-]+)\s+Requester_Id\s*=\s*(?<Requestor_Id>\w+)\s+Last_Name\s*=\s*(\w+)\s+State\s*=\s*(?<State>\w+)
- Regex Substitue only on a specific group - sedcmd (Splunk)
- Regex to only return matches when followed by a specific word
- embeding conf files into helm chart
- How to create a timechart in splunk for the timestamp and extracted field?
- Match regex named group up until optional word
- How can I access the TraceId generated by splunk-otel-collector within an ASP.NET web application?
- Splunk result in Table format
- Splunk: How to compute the difference of timestamps by id?
- SPLUNK: How can I count events by location with a list of SERVERNAME's?
- How to represent difference between same fields from two different and simultaneous searches in a table format in Splunk?
- Java 11 HttpClient - POST issue
- Flume sink to Splunk?
- Questions related to splunk builtin macros in correlation search
- how to send the local file using splunk forwarder docker image?
- A table of counts of http status by URL
- How do I use a specific date/time in Splunk dashboard with earliest and latest?
- Splunk - Handling a blank token for a dashboard search
- Splunk - Extracting from search results using regex and aggregates
- Splunk - Grouping by distinct field with stats of another field
- Trying to log to Splunk using logback appender
- How can I download infinite results from a Splunk Search to Export the Data
- Regex extraction from Right to Left
- How to use Python via AWS Lambda to send millions (large quantities of data) of events to Splunk
- How to create a timechart with percentages by fields using a Splunk query?
- Splunk: Show all the ids that are present in different events
- How to show nested structures in Splunk table
- Splunk regex filter events only one occurrence of special character
- How to search a given time range for every day in Splunk?
- Splunk Query to list down active users and the knowledge object created by them
- choropleth map does not render in Dashboard Studio but it does in Classic Dashboards