Hello @richgalloway Thank you for taking the time and explaining. I really appreciate the time you vested in explaining this. Interestingly this one works | rex field=_raw message="(?<message>.*).request" So does the | rex field=_raw "message="(?<message>.*).request"" but not the "message=\\\"(?<message>.*).request\\\"" when I say work, I mean it is giving the desired result and by not working I mean not giving the desired result. Although in none of the cases there wasn't any syntax error. The one with the escaped quotation mark only gives the result until before the spaces i.e. if it is "message=abc efg request-id", it only prints "abc". Does this have anything to do with the Splunk version? 2. Regarding The sequence .* ("dot-star") means "everything from here on" - I am assuming this regex and nothing to do with Splunk itself. So I tried to use this concept in a sublime text editor to see what happens. I used message=Error translating Grubhub webhook order: The location for this order cannot be found request-id and tried to replace message=.* with let's say new. I found the entire thing got wiped out and replaced with new. I was expecting something like message=new. I even tried message="(?.*).request", "message="(?.*).request"", but no changes happened. Is it because Splunk uses some different regex logic than sublime text editor? 3. I am still confused about the use of quotation mark, I tried using the website which you mentioned, but it confused me more lol.
... View more