Hi ,

I need to replace value of _time with special extracted log time event. I am using this search but its not working . 

Log event  : 20200625_22:44:35.090 (thread=1): User ID: xxxx

....| rex field=_raw "^(?P<newtime>[^ ]+)" | eval newtime =strptime(newtime, "%m/%d/%Y") | eval _time = 'newtime' | table newtime _time

I am trying to capture the time "20200625_22:44:35.090" in newtime and put this value in _time

Please help