I don't see anything obviously wrong with the regex, so I stuck it into a run anywhere and added random closing parenthesis until it stopped complaining. You have two closing parens, and it says it's missing the closing one. Ditto with if you add one to make it three closing parens. At 5, it shifts to telling you there's an unmatched one at the end. So, 4 is the magic number? | makeresults | rex "-30201[46]:\s*(\S+)\s+(\S+)\s+connection\s+(\d+)\s+for\s+([^:\s]+)\s*:\s*(?:((?:[\d+.]+|[a-fA-F0-9]*:[a-fA-F0-9]*:[a-fA-F0-9:]*))|(\S+))\s*\/\s*(\d{1,5})(?:\s*\(\s*(?:([\S^\\]+)\\)?([\w\-_]+)\s*\))?\s+to\s+([^:\s]+)\s*:\s*(?:((?:[\d+.]+|[a-fA-F0-9]*:[a-fA-F0-9]*:[a-fA-F0-9:]*))|(\S+))\s*\/\s*(\d{1,5})(?:\s*\(\s*(?:([\S^\\]+)\\)?([\w\-_]+)\s*\))?\s+[Dd]uration:?\s*(?:(\d+)[dD])?\s*(\d+)[Hh]?\s*:\s*(\d+)[Mm]?\s*:\s*(\d+)[Ss]?\s+bytes\s+(\d+)\s*(?:(.+?(?=\s+from))\s+from\s+(\S+)|([^\(]+))?\s*(?:\(\s*([^\)\s]+)\s*\))))" Yep, now it tells you that it doesn't match anything. Now, why did it need two extra closing parens, and is it now still working properly? I don't know, because I don't have any sample data I can test with. If that above helps you get where you need to go, well, accept this as a solution and give it a thumbs up! I suspect it won't, though... so if it doesn't help, can you provide a couple of sample events to match it to? Thanks, Rich
... View more