I am wanting to create a rex that will have a list of text that is to be matched, but the matched value is what needs to be extracted. It may end up as an EXTRACT in props.conf, but that is not my immediate concern. I am looking for the rex syntax that might look like this, but produce the results identified in the Expected result line below the sample rex. Sample data is below the rex.

%ASA | rex "tcp|udp|icmp" | stats count by Protocol
Expected result from line 1 of Sample data: Protocol=TCP

%ASA | rex "Built|Teardown|Deny|denied" | stats count by Action
Expected result from line 1 of Sample data: Teardown
Expected result from last line of Sample data: denied

Sample data:

Sep 22 08:23:58 xxx.xxx.xxx.xxx %ASA-6-302014: Teardown TCP connection 586562065 for outside:xxx.xxx.xxx.xxx/xxxxx to inside:xxx.xxx.xxx.xxx/xxxxx duration 0:00:53 bytes 3974 TCP FINs
Sep 22 08:23:57 xxx.xxx.xxx.xxx %ASA-6-302013: Built outbound TCP connection 586562792 for outside:xxx.xxx.xxx.xxx/xxxxx (xxx.xxx.xxx.xxx/xxxxx ) to inside:xxx.xxx.xxx.xxx/xxxxx (xxx.xxx.xxx.xxx/xxxxx )
Sep 22 09:13:51 xxx.xxx.xxx.xxx %ASA-6-302015: Built inbound UDP connection 586601069 for outside:xxx.xxx.xxx.xxx/xxxxx (xxx.xxx.xxx.xxx/xxxxx ) to inside-research:xxx.xxx.xxx.xxx/xxxxx (xxx.xxx.xxx.xxx/xxxxx )
Sep 22 09:15:26 xxx.xxx.xxx.xxx %ASA-4-106023: Deny tcp src biz-research:xxx.xxx.xxx.xxx/xxxxx dst outside:xxx.xxx.xxx.xxx/xxxxx by access-group "biz_-research_in" [0x0, 0x0]
Sep 22 09:23:36 xxx.xxx.xxx.xxx %ASA-3-710003: TCP access denied by ACL from xxx.xxx.xxx.xxx/xxxxx to outside:xxx.xxx.xxx.xxx/xxxxx