I generally try to avoid putting multiple field extracts in a single rex
Instead, I go for sequential ones like this:
<search>
| rex field=_raw "(?<ip>\d+\.\d+\.\d+\.\d+):"
| rex field=_raw "\d+:(?<port>\d+)"
| rex field=_raw "\d+:\d+\s+(?<msg>.+)"
<more stuff here>
In this example, I’m pulling an IP, port, and some message afterwards into three new fields: ip, port, msg
Of course, if you can this should be done in props.conf …but that’s not always possible
from User warren – Stack Overflow https://stackoverflow.com/questions/64915269/splunk-how-to-use-multiple-regular-expressions-in-one-query/64918787#64918787
via IFTTT