As requested If you want duration as interger only index=nessus sourcetype="tenable:sc:vuln" pluginID=19506 | rex field=pluginText "Scan duration\s+:\s+(?<scanDuration>[0-9]+)\s" | rex field=pluginText "Scan Start Date\s+:\s+(?<scanStart>[0-9A-Z\/\s:]+)\n" If you want it as string to say in "secs" index=nessus sourcetype="tenable:sc:vuln" pluginID=19506 | rex field=pluginText "Scan duration\s+:\s+(?<scanDuration>[0-9a-z\s]+)\n" | rex field=pluginText "Scan Start Date\s+:\s+(?<scanStart>[0-9A-Z\/\s:]+)\n"   ... View more

@fbond_diligent sorry for the copy paste issue. match() condition is regex based. So * is not required. Please check updated SPL. ... View more