You're better off cleaning the data first; you can do this at the sourcetype level in the props.conf by adding; SEDCMD-ccremove=s/\x01/|/g Or at the search line with rex mode="sed" "s/\x01/|/g" That will replace your fix SOH with a pipe delimiter. You can then use an | extract pairdelim="|" kvdelim="=" this will automatically extract your kv pairs or you can replace the SOH in your rex with \W (rex for not a word character) so.. "\W455=(\w+)" ... View more

It's better to clean the data first; Put this in your props.conf for your sourcetype SEDCMD-ccremove=s/\x01/|/g or on the search line | rex mode="sed" "s/\x01/|/g" after that you'll have a pipe delimiter for your kv pairs, you can rex the field or use and extract pairdelim to get your field. ... View more