Hi ashnet16,
As Kristian says, we need some real data and also exactly what you try to extract from that data.
With that said, your original rex | rex field=file "(?\.(.{2,4}\s+?))" does not look right.
If you want to convert your original regular expression \.(.{2,4}\s+?) to rex, I would expect it to look something like this:
| rex field=file ".(?<fieldname>.{2,4}\s+?)"
Cheers!
#Sven Emil
... View more