Hey @DanAlexander , try this: | rex field=_raw "action:"(?<Action>.*)";" | rex field=_raw "origin:"(?<Origin>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"" | rex field=_raw "dst:"(?<Dest>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"" | rex field=_raw "layer_name:"(?<Text>\w+)"" ***i'm assuming some text doesnt contain whitespaces, if does, I would try to test with [\s\S]+)";<add data pattern here so it limits the expression | rex field=_raw "src:"(?<Source>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"" I tested on regxr and seems to be working and extracting the fields as it should. input: action:"(?<Action>\w+)"|origin:"(?<Origin>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"|layer_name:"(?<Text>\w+)"|dst:"(?<dest>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"|src:"(?<Source>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" test: (your log example)   notes: *i can't remember if we are able to "bundle" all of these rex extractions into a single command, try to separate quoted expressions using a comma *for text data, the best way would be using a specific number of characters such as \w{n,m} (a number of characters that could be between n and m.  ... View more

Yes, you can make data searchable again but no in the cloud like using DDAA. You can restore self storage data only to a Splunk Enterprise instance. You can't restore self storage data to a Splunk Cloud Platform instance. To recover the information, transfer the exported data to the thawed path folder in a Splunk Enterprise instance, such as $SPLUNK_DB/defaultdb/thaweddb. After the data has been reinstated, you can proceed to query it. When you restore data to the thawed directory on Splunk Enterprise, it does not count against the indexing license volume.   I would like to refer to the following docs to how restore indexed data, since it might depend on your storage system: https://docs.splunk.com/Documentation/SplunkCloud/9.0.2303/Admin/DataSelfStorage#Restore_indexed_data_from_an_AWS_S3_bucket ... View more