Hi
How can I extract the "TCP_MISS/200" and "TCP_MISS_SSL/200" or similar from the event below?
1466609862.644 109 1.2.3.55 TCP_MISS/200 387 POST http://sdsd.com/put "user@dd.com" ...........
1466609862.632 17096 2.3.4.167 TCP_MISS_SSL/200 1036 GET https://..................
Try
... | rex "(?<field>TCP[^\s]+)" | ...
Try
... | rex "(?<field>TCP[^\s]+)" | ...