My rex search is returning all the rows instead of the one being searched. What am I doing wrong? index=cloudwatchlogs loggroup="/aws-glue/jobs/xxxxx/*" meta_region="us-east-1" meta_env="TEST" meta_type="aws:jobs" | rex field="message.message" max_match=0 "Total rows from Raw Call meta:\s(?<msg1>\d+)\s" | rex field="message.message" max_match=0 "Total Meta rows written to S3 bucket:\s(?<msg2>\d+)\s" | rex field="message.message" max_match=0 "Total QCI Raw Data rows read from S3 bucket:\s(?<msg3>\d+)\s" | rex field="message.message" max_match=0 "Total root rows written to S3 bucket:\s(?<msg4>\d+)\s" Sample data - INFO:__main__:Total rows from Raw Call meta: 3995 INFO:__main__:Deleting duplicate rows INFO:__main__:Total rows before Deleting duplicate rows: 3995 INFO:__main__:Listing duplicates, if any INFO:__main__:Total Meta rows written to S3 bucket: 3995 INFO:__main__:Processing RAW QCI Data. ... View more

| regex "message.message"="Total count XXXXXX: |Total rows YYYYYY: " | rex field="message.message" max_match=0 "^(?<msg1>[^:]*)\:(?<msg2>[^:]*)\:(?<msg3>[^:]*)\:(?<msg4>[^:]*)($|\{)" | eval dtonly=strftime(_time, "%Y%m%d") | chart first(msg4) OVER dtonly BY msg3 I get the stats but not the visualization.   Thanks ... View more