Thanks... I was able to get it to work via the query below. I was trying to pull the status code out of the record also, which I am still having issues with.
I tried the basic \s+\S+){5,6}$ in Regex101 and it seemed to pull properly, but what I have isn't assigning the correct code. Its pulling part of the NNNN in the filename. Also, we're pulling the file size from the record also which seems to be out of alignment now.
index="ti_is_st" sourcetype="xfer_log" | rex field=_raw "^(\S+\s+){8}\/(([^\s\/]+\/)+)(?.+)(\s+\S+){8}$" |rex field=_raw "(\s+\S+){5,6}$(?.+(i|j|k|o|p|q))\s"|search "$field2$" "$field3$" |table _time ip_address Service_Account fileName file_size status |replace o with "Download Successful" i with "Upload Successful" j with "Upload Errored" k with "Upload Aborted" p with "Download Errored" q with "Download Aborted" in status
Record:
Wed Oct 26 10:41:14 2016 0 10.40.112.27 437434 /dirlevel1/dirlevel2/dirlevel3/dirlevel4/chr 2610 4109.txt b s o r aaa_aaaaaaa ssh 0 *
... View more