index=wineventlog eventtype="msad-dns-debuglog" | rex mode=sed "s/\(.*?\)/./g s/^\.+(\s+)?// s/\.$//" I am getting .www.google.com in the raw data which is a lot closer than I thought I was. I am unsure You are still not illustrating what is in the raw event. This result only suggests that the targeted string (e.g., "(3)www(6)google(3)com(0)") is at the end of the line in the raw event (thus positive on s/\.$//); there is some other string before the target string in the raw event (thus negative for s/^\.+(\s+)?//); and the character immediately before the target string is not a quotation mark as I used to illustrate my point about anchor in regex. If there is some guarantee that 1 is always true in eventtype mdad-dns-debuglog, it would be fine to anchor your regex against $. But you have to show us what that leading anchor can possibly be. By the way, using elimination of \. AFTER substitution, whether leading or trailing, is a very risky strategy because you could easily be altering parts of the raw string you don't want to alter. It is much safer to be explicit about those "(3)", etc. If you want to be as generic as possible but minimize the risk of undesirable alterations, this is perhaps the best approach: | rex mode=sed "s/(\W+)\(\d+\)/\1/ s/\(\d+\)$// s/\(\d+\)(\W)/\1/ s/(\w)\(\d+\)(\w)/\1.\2/g"
... View more