This usually works. However, it wouldn't extract anything with an input like
ThreadName=Thread-2;|12:26:21,680 INFO OrderController:126 - Net sales per order: 3
since the regex asks for at least two digits. Also, you need to escape the point. Maybe something like this would be better:
| rex field=_raw "order:\s+(? \d+(?:\.\d+)?)"
This allows for an arbitrary number (>0) of whitespaces.
... View more