Hi. I have an event that has the line "Total time taken for process: 535 ms" in it. it's not in a field it's just a raw event. I want to extract just the 535 ms from it, and so I came up with this. index = *"1500"* "Total time taken for process:" | regex _raw "\d+ ms" its the correct regular expression any number of digits followed by space followed by ms but its not working in splunk, and I am not sure why. it keeps throwing error Usage: regex <field> (=!=) <regex> I am not sure what this means.
... View more