Hello, I'm have a raw data that contain the following:
....OrgnlTxRef:"04172D1xxxx","TxSts":"ACSC","StsRsnInt":{....I'm trying to take out only the ACSC as a "TxSts" field to search for the events that don't contain it, but I can't figure it our for some reason. Can anybody help me?
Splunk said your query missing a search command before '^'. And indeed my next pipe still in white color.
I updated my answer, check now.