hi  The rex command is used to search for a regular expression (regex) in a specific field. Here, the default field _raw is used, which contains the entire log. Regex: \"country\":\": This part looks for "country":". (?<country>[^\"]+): (?<country>...): Creates a group named country. [^\"]+: Matches any character other than ". This part extracts the country value. Finally, the country value (for example, IND) is stored in a new field named country. This structure helps extract the word country wherever it appears. | rex field=_raw  "\"country\":\"(?<country>[^\"]+)\"" You can test with this structure in regex101 (country":"([^"]+)) ... View more

hi  You can extract a rex of all failures. | rex field =_raw ".?failures<field name>.\w " ... View more