Are you extracting from a field? You may need to use transforms: transforms.conf: [example] SOURCE_KEY = source REGEX = <your_regex> props.conf: REPORT-example = example ... View more

Or you can try: EXTRACT-sourcefield = D:\x5CHost Logs\x5C(?<newfield>[\w]+).\w+.\w+.(mfl|MFL) ... View more

Hi @astackpole , Have you tried: LINE_BREAKER = ([\r\n]+)\s*\<issue\>   ... View more

If you're using a Heavy forwarder go to Settings>Monitoring console>Indexing>Indexing performance . In the snapshot panel, see the status of your indexing. If you're not using a HF, then follow the same steps in your indexer(s) to see what blocks. ... View more

Following your example, the result should look like: 123456789 111111111 Because both events have appear here . If the "appear here" pattern doesn't change you can add it to your search, E.g.: index=test "appear here" | rex "id\s+(?<id>[0-9]{9})" |table id Otherwise, you can exclude what you don't want: index=test NOT "something bad want to exclude" | rex "id\s+(?<id>[0-9]{9})" |table id Hope it helps. ... View more