btw, you can test your regex with Splunk directly like this:

$SPLUNK_HOME/bin/splunk cmd pcregextest mregex="(?<total_GC_time>0\.\d+)" test_str="2015-09-10T16:46:31.320-0400: 861067.833: Total time for which application threads were stopped: 0.0010090 seconds"

and the result will look like this:

Original Pattern: '(?<total_GC_time>0\.\d+)'
Expanded Pattern: '(?<total_GC_time>0\.\d+)'
Regex compiled successfully. Capture group count = 1. Named capturing groups = 1.
SUCCESS - match against: '2015-09-10T16:46:31.320-0400: 861067.833: Total time for which application threads were stopped: 0.0010090 seconds'

#### Capturing group data ##### 
Group |            Name | Value
--------------------------------------
    1 |   total_GC_time | 0.0010090

do i do this in the normal search box? i've been unable to get this to work.

Login to your Splunk Server OS and go to your Splunk install directory like /opt/splunk/bin and run it there

haha, if i had access to our Splunk server, life would be grand. sadly i don't. 😞

@jsiker here comes Web-cli App https://splunkbase.splunk.com/app/1607/ to the rescue 🙂

I always just use https://regex101.com/

Depending on the complexity and variability in the logs I'm trying to extract fields from I might do something like this to get at the data

sourcetype = foo | dedup punct | head 10 | table _raw

Similar, but not as good as @MuS's testing method, specially if you don't have server access

| gentimes start=-1 | eval _raw="2015-09-10T16:46:31.320-0400: 861067.833: Total time for which application threads were stopped: 0.0010090 seconds" | rex "(?<total_GC_time>[0-9\.]+)\s*seconds$"

This can run in any splunk instance, and I use this for testing my regex.

awesome! thanks, both work. i realize now i hadn't had a pipe b/w the rex and the rest of my search. great tip for the testing too, didn't know you could do that!