These both worked fine. I was curious about runDuration ...
Surprisingly, "rex field=parm "=(?[\S]+)" ran for 5.112s, while
rex field=_raw "(?i)parm=mobileNetworkCode=(?P\d+) ran for 4.449s. I would have thought the rex using the specific field would have been quicker. In this case though, it's only an academic point.
Thank you very much for your excellent, expeditious explanations 🙂
One other (quick?) question (related to this search)...
Splunk is chopping a specific field value at the & (ampersand), i.e. ABCXYZ&123456, and returns only ABCXYZ. How can I coax Splunk to return the entire field contents, which includes the &?
... View more