Thanks,

And what about action field here

applist="sniffer-profile" action="pass" appcat="Network.Service"

Hi @pavanbmishra,

sam answer: you don't need field extractions, but if you want you can use one or three  similar regexes:

one regex

| rex "applist\=\"(?<applist>[^\"]+)\"\s+action\=\"(?<action>[^\"]+)\"\s+ appcat\=\"(?<appcat>[^\"]+)\""

three regexes:

| rex "applist\=\"(?<applist>[^\"]+)\""
| rex "action\=\"(?<action>[^\"]+)\""
| rex "appcat\=\"(?<appcat>[^\"]+)\""

Ciao.

Giuseppe