If you have done spath and have a field following the spath called Record, then the rex should work, but if you don't have a field called Record because that field is not extracted, then it won't. Your rex is looking at the entire _raw field.

Thanks 

i have another request :

i have the a text like (JSON Format)  : 

{"Time": "2023-03-23T13:23:50.551", "HostName": "SND1", "Cat": "Policy Manager", "Severity": "Info", "SAF": 1, "SAFD": "RACF", "Record": "Mar 23 09:23:49 SND1 baspm[33620189]: Compliance Failure='PASSWORD(INTERVAL) for UserId=ZSX110 should be 60 days. It is currently set to 120' [DS223718]"} 

i would like to have DESCRIPTION fileld based on "Complaince Failure" and DISANUM based on the content of [ and ]  character at the end of the string (in the above example the DISANUM is [DS223718] .

Thanks in advance 

Maurizio 

In general, if it's a new question requiring a new answer, please ask it in a new question rather than using an already answered question, so others can help out 

If your JSON is already auto extracted then do only the rex statement, otherwise use spath to extract the JSON from the raw event

| spath
| rex field=Record "[^\]]*\]: (?<DESCRIPTION>[^=]*).*\[(?<DISANUM>\w+)"

Hello thanks 

ok partially worked because 

for the filed DESCRIPTION i just have Compliance Failure i shout have :

DESCRIPTION = 'Port=23 included in configuration for TN3270 is not as defined in the Ports, Protocols, and Services Management (PPSM) Category Assurance List (CAL) and vulnerability assessments'

can yu help me ? 

Maurizio

or better based on the last example :

DESCRIPTION = 'PASSWORD(INTERVAL) for UserId=ZSX110 should be 60 days. It is currently set to 120'

thanks 

Maurizio

Sorry - correct rex here

| rex field=Record "[^\]]*\]:\s+Compliance Failure='(?<DESCRIPTION>[^']*).*\[(?<DISANUM>\w+)"

It assumes the description is surrounded by single quote characters