I am able to execute the below search command using rex and retrieve the output successfully
index=xyz | rex field=_raw "queue[\s=]'(?
however when i am creating a filed extraction using regex for the above "q1" field i am unable to retrieve any results.(index=xyz | q1='test.queue'
regex used in field extraction page is queue[\s=]'(?
can anyone help me in letting me know how to create the field extraction from a rex command
Tried using the "where" command?
http://docs.splunk.com/Documentation/Splunk/4.3.4/SearchReference/Where
so use it something like ... index=xyz | rex field=_raw "queue[s=]'(?
2012-01-03 16:42:17.346 [MSG:234123] acknowledged by user='admin': queue='test.queue'
2012-01-03 16:42:17.334 : Destroyed producer (connid=10, sessid=9, prodid=4) into queue 'test.queue'
in both the cases im trying to extract queue field
It would help if you could post a sample of your data.