On this forum, don't forget to put your splunk search code inside the code blocks - if you just paste it in the comment box, a bunch of stuff gets parsed out for some reason.
But back to the question. Instead of rex'ing twice, can we generalize our regex to grab service no matter what those letters are. For example, if the pattern is always "[info] xxxx(service)", then something like this might work.
\[info\][^\(]+\((?<service>[^\)]+).+Latency:\s+(\d+\s+){7}(?<cool_num>\d+)
... View more