If this data is being brought-in a JSON, you won’t have to rex it out
If not, though, the issue is your regular expression
Try it out on regex101.com – you’ll see you’re only grabbing the first value because you’re stopping at a literal "
Try this instead:
...
| rex field=_raw "codes\":\[(?<codes>[^\]]+)"
| eval codes=split(replace(codes,"\",""),",")
That will make codes into a multivalue field
If you don’t care about it being multivalue, you can just do:
| eval codes=replace(codes,"\"","")
to pull the quote marks
from User warren – Stack Overflow https://stackoverflow.com/questions/66422836/print-string-array-of-a-json-payload-in-splunk/66425124#66425124
via IFTTT