@Mads Hansen‘s answer will most likely work, but experience shows multiple individual rex statements to be safer (ie, they allow for corner cases / data in different sequences, etc):
| rex field=message "OUT:\s+(?<method>\S+)"
| rex field=message "taken:\s+(?<executiontime>\d+)"
Speed for sequential regular expressions – 9 & 23 steps, respectively
If you want to use an all-at-once regular expression, because you know the data is always in the same order, this one is simpler and faster (28 vs 82 steps) than Mads Hansen’s:
| rex field=message "OUT:\s+(?<method>\S+).+?taken:\s+(?<executiontime>\d+)"
Lastly, if you know the order of the message field is always the same, you could do this, making a multivalue field, and separate it after (I combined two eval statements into one line, since they’re not dependent upon each other):
| rex field=message max_match=0 ":\s+(?<mymvfield>\S+)
| eval method=mvindex(mymvfield,0), executionTime=mvindex(mymvfield,-1)
from User warren – Stack Overflow https://stackoverflow.com/questions/73939991/splunk-query-to-extract-multiple-fields-from-single-field/73947539#73947539
via IFTTT