| rex field=_raw "^(?<ownerid>.*)\s(?<bucket>.*)\s\[(?<date>.*)\]\s(?<ipaddress>

1. | rex field=_raw "^(?<ownerid>.*)\s(?<bucket>.*)\s\[(?<date>.*)\]\s(?<ipaddress>\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b)\s(?<userid>.*)\s(?<requestid>.*)\s(?<operation>.*)\s(?<key>.*)\s\"(?<requestedURI>.*)\"\s(?<http_status>.*)\s(?<errorcode>.*)\s(?<bytessent>.*)\s(?<objectsize>.*)\s(?<totaltime>.*)\s(?<turnaroundtime>.*)\s\"(?<referrer>.*)\"\s\"(?<useragent>.*)\"\s(?<versionid>.*)$" | where userid IN ( "-", "Anonymous")