These are mostly because of search order. let me give an example. If you run this one you will get exact same error message "Error in 'rex' command: Invalid argument: 'NOT'" index=foo OR
index=bar | spath output=message path=message | rex field=message "dst=(?<remote_ip>\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})"
[| makeresults | eval remote_ip=""
| eval remote_ip=split(remote_ip,",")
| mvexpand remote_ip
| table remote_ip]
| stats dc(remote_ip) as total However, if you run the following, no error at all, hope this helps. so problem is not on rex, it is highly likely due to the search logic. index=foo OR
index=bar | spath output=message path=message | rex field=message "dst=(?<remote_ip>\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})"
| search [| makeresults | eval remote_ip=""
| eval remote_ip=split(remote_ip,",")
| mvexpand remote_ip
| table remote_ip]
| stats dc(remote_ip) as total
... View more