Is it safe to assume the fields statusCode and duration currently hold "{ 200 }" and "{ 277.429137ms }", respectively?
Instead of using a regular expression to create a new field, use eval .. replace to clean up the fields you have:
| eval statusCode=replace(statusCode,"\D","")
| eval duration=replace(duration,"[^\.\w]","")
Alternatively, if you don’t have those fields yet, this will extract them both for you (returning just what you’re looking for with each):
| rex field=_raw "statusCode\D+(?<statusCode>\d+)"
| rex field=_raw "duration\W+(?<duration>[\.\w]+)"
from User warren – Stack Overflow https://stackoverflow.com/questions/75868319/splunk-remove-curly-braces-from-result/75870356#75870356
via IFTTT