Hi!
The log in question reads as:
HTTP/1.1" 200 365 3
in our splunk, we don't have a "HTTP status" field to pivot off of..
So I see that the HTTP response always shows as it does above,
So I'd need a regex that gives me something like:
| rex field=HTTP response "
HTTP/1.1" ***
rex "HTTP\/1\.1\"\s*(?<http_response>\d{3})"
try above