https://community.splunk.com/t5/Splunk-Search/extract-field-using-rex-without-using-raw/m-p/505530#M141276 <P>Hi,</P><P>_raw is the default field for rex. You can use the rex command without specifying the field if you are targetting your raw data (e.g. like you are doing). If you want to rex from a table (e.g. stats result) you need to specify the field.</P><P>You can always set up a field extraction in props.conf for your sourcetype. This way you don't need to use rex on your search.</P><P>What I don't understand is what you mean with an error thrown with the commit to Github. Do you run Splunk app inspect as some sort of workflow action on commit and that's throwing the errors? If that's the case can you post your search stanza ("<SPAN>[ABC</SPAN><SPAN>&nbsp;Error alert]</SPAN>") from searches.conf?</P><P>Regards</P> Mon, 22 Jun 2020 16:12:03 GMT diogofgm 2020-06-22T16:12:03Z https://community.splunk.com/t5/Splunk-Search/extract-field-using-rex-without-using-raw/m-p/505521#M141273 <P>I have data like</P><P>202-06-19T13:02:293 message="event(level=Error name=xyz)</P><P>&nbsp;context: {</P><P>Id: 12345,</P><P>locale: 'us'</P><P>blah blah</P><P>&nbsp;</P><P>My objective is to get error count by corresponding to Id . I have a csv say abc.csv from which I have to look up Id and display result only corresponding to the Id present in csv. moreover for some logs id is logged as field but for some it is not getting logged as field. I used below query:</P><P>&nbsp;</P><LI-CODE lang="markup">index=rxc sourcetype="rxcapp" (level=ERROR) earliest=-30m | rex field=_raw "Id:[\S\s]+?(?&lt;Id&gt;.\d+)" | search [| inputlookup abc.csv | rename id as Id | fields Id]| lookup abc.csv id As Id OUTPUT site| stats count by name site level</LI-CODE><P>&nbsp;</P><P>It is giving me result correctly when I search but when I go and commit it on github it throws error like below :</P><P>&nbsp;</P><P><SPAN>REX FIELD checks for use of _raw </SPAN><BR /><SPAN>FAILURE: in file local/searches.conf in section [ABC&nbsp;</SPAN><BR /><SPAN>&nbsp;Error alert] -&gt; rex field cannot = _raw</SPAN>&nbsp;</P><P>Is there any way I can achieve what I want without using _raw and&nbsp; "context" is also not logged as field in logs(fyi)</P> Mon, 22 Jun 2020 14:53:23 GMT https://community.splunk.com/t5/Splunk-Search/extract-field-using-rex-without-using-raw/m-p/505521#M141273 ksharma7 2020-06-22T14:53:23Z https://community.splunk.com/t5/Splunk-Search/extract-field-using-rex-without-using-raw/m-p/505530#M141276 <P>Hi,</P><P>_raw is the default field for rex. You can use the rex command without specifying the field if you are targetting your raw data (e.g. like you are doing). If you want to rex from a table (e.g. stats result) you need to specify the field.</P><P>You can always set up a field extraction in props.conf for your sourcetype. This way you don't need to use rex on your search.</P><P>What I don't understand is what you mean with an error thrown with the commit to Github. Do you run Splunk app inspect as some sort of workflow action on commit and that's throwing the errors? If that's the case can you post your search stanza ("<SPAN>[ABC</SPAN><SPAN>&nbsp;Error alert]</SPAN>") from searches.conf?</P><P>Regards</P> Mon, 22 Jun 2020 16:12:03 GMT https://community.splunk.com/t5/Splunk-Search/extract-field-using-rex-without-using-raw/m-p/505530#M141276 diogofgm 2020-06-22T16:12:03Z https://community.splunk.com/t5/Splunk-Search/extract-field-using-rex-without-using-raw/m-p/505647#M141361 <P>Got it by just removing filed and _raw&nbsp;</P><P>&nbsp;</P><P>|rex "Id:\s*(?&lt;Id&gt;\d+),"</P> Tue, 23 Jun 2020 05:13:58 GMT https://community.splunk.com/t5/Splunk-Search/extract-field-using-rex-without-using-raw/m-p/505647#M141361 ksharma7 2020-06-23T05:13:58Z