Yes, if you get an app containing the field extractions, like the Apache Web Server app, then set the sourcetype to be the ones to which the field extractions apply to (usually listed in the app documentation or config files), then you will have field extractions.   The other way is to put the logs in json format but that may not work so great with these logs.

It turns out the cause of my issue was another rex statement down the line that hadn't been updated to match the renamed string. It used  (?<Foo>\D\d*)-0 which matched the string before the replacement, which the statement is now (?<Foo>\D*\d)-0 Apologies for my confusion. I've marked your efforts as the solution as the backslash was indeed not needed. Thank you and have some Karma for your efforts.

The search works as shown which probably means there is something different in your environment which hasn't been made clear to us. Please can you provide more details and examples of where this substitution is not working as expected?

Hi Probably you missed :port part from your input? Without : it doesn’t parse that input correctly. You could see e.g. https://community.splunk.com/t5/Getting-Data-In/udp-portnumber-Event-Blacklist-How-do-I-prevent-unwanted-data/m-p/613039 You have typo on transforms.conf name on your examples, but probably it’s correct on your HF? And you have restarted it after modify those configurations? r. Ismo

The condition is not working for me  like('message' ,"%End of GL-import flow%") AND like('tracePoint',"EXCEPTION") ,"SUCCESS", If the message value=End of GL-import flow and tracepoint values=Exception then it should be SUCCESS.Screen shot attached below index="mulesoft" applicationName="p-oracle-finance-ext" environment=DEV (*End of GL-import flow*) OR (tracePoint="EXCEPTION") OR (priority="WARN" AND message="GLImport Job Already Running, Please wait for the job to complete*") OR ( message="End of GL Import process - No files found for import to ISG") | rename content.File.fstatus as Status | eval Status=case( like('Status' ,"SUCCESS") ,"SUCCESS", like('message' ,"%End of GL-import flow%") AND like('tracePoint',"EXCEPTION") ,"SUCCESS", like('tracePoint',"EXCEPTION") AND like('priority' ,"%ERROR%"),"ERROR", like('Status',"ERROR"),"ERROR", like('priority',"WARN"),"WARN", like('priority',"GLImport Job Already Running, Please wait for the job to complete%"),"WARN", like('message',"%End of GL Import process - No files found for import to ISG%"), "ERROR", 1==1, "") | stats values(content.File.fid) as "TransferBatch/OnDemand" values(content.File.fname) as "BatchName/FileName" values(content.File.fprocess_message) as ProcessMsg values(Status) as Status values(content.File.isg_file_batch_id) as OracleBatchID values(content.File.total_rec_count) as "Total Record Count" values(message) as message values(timestamp) as timestamp values(content.errorType) as errorType by correlationId | eval ProcessMsg= coalesce(ProcessMsg,errorType,message) | eventstats min(timestamp) AS Start_Time, max(timestamp) AS End_Time by correlationId | eval StartTime=round(strptime(Start_Time, "%Y-%m-%dT%H:%M:%S.%QZ")) | eval EndTime=round(strptime(End_Time, "%Y-%m-%dT%H:%M:%S.%QZ")) | eval ElapsedTimeInSecs=EndTime-StartTime | eval "Total Elapsed Time"=strftime(ElapsedTimeInSecs,"%H:%M:%S") | table Status Start_Time "TransferBatch/OnDemand" "BatchName/FileName" ProcessMsg OracleBatchID "Total Record Count" ElapsedTimeInSecs "Total Elapsed Time" correlationId | join correlationId type=left [ search index="mulesoft" applicationName="p-oracle-finance-ext" environment=DEV (message="API: START: /v1/revpro-to-oracle/onDemand*") OR (message="API: START: /v1/fin_Zuora_GL_Revpro_JournalImport") OR (message="API: START: /v1/revproGLImport/onDemand*") | eval JobType=case( like('message',"API: START: /v1/revproGLImport/onDemand%"),"OnDemand", like('message',"API: START: /v1/revpro-to-oracle/onDemand%"),"OnDemand", like('message',"API: START: /v1/fin_Zuora_GL_Revpro_JournalImport"),"Scheduled") | table JobType correlationId ] | table Status JobType Start_Time "TransferBatch/OnDemand" "BatchName/FileName" ProcessMsg OracleBatchID "Total Record Count" ElapsedTimeInSecs "Total Elapsed Time" correlationId | fields - ElapsedTimeInSecs | where JobType!=" "