No, your regex is likely not matching. You should try out your regex in the interactive field extractor in Splunk, or on some external regex checker tool such as regexpal.com.

Hi Ayn,

Trying to add field extract to solve the above problem.
1min=1;5min=1;60min=1;24hr=1
In Add new field extraction screen entered below regex. Is this OK?
1min (?<1min_val>\d+);
After adding the above I have used the below which didn't give me any results.
index=main sourcetype="splunk-too_small" | stats sum(1min_val)
Please help on this.

No, the field argument for rex refers to what field it should read FROM (default is _raw), not what field it should write. You need to read up on the syntax.

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Eval

As for the stats command, I'm not sure what you want to achieve when splitting by _time. If you want to create a timechart, have a look at the timechart command instead.

Hi Ayn,

Does something like below work? - Without Field extractions?
Can we use extract(1min) or rex as below?
ProcessService | rex field=1min (?\w+);field=5min (?\w+);field=60min (?\w+);field=24hr (?\w+); | stats
sum(oneval),sum(fiveval),sum(sixtyval),sum(tfval) by _time