https://community.splunk.com/t5/Splunk-Search/String-comparison/m-p/671202#M230033 <P>From your SPL, it looks like you're trying to access the first line after At as the message type</P><P>Have you tried extracting Message type with</P><LI-CODE lang="markup">| rex field=_raw "(?s)At \d+:\d+:\d+\s+-0800\s+-..\s+(?&lt;message_type&gt;\w+):"</LI-CODE><P>where the .. will match the line feed (you may only need a single dot, depends on the data.</P><P>&nbsp;</P> Thu, 07 Dec 2023 23:55:10 GMT bowesmana 2023-12-07T23:55:10Z https://community.splunk.com/t5/Splunk-Search/String-comparison/m-p/671195#M230032 <P>I've got this search</P><LI-CODE lang="markup">index=main sourcetype="bigfix" | eval raw=_raw | rex mode=sed field=raw "s/\n/ /g" | rex field=raw "At \d+:\d+:\d+\s+-0800\s+-(?&lt;message&gt;.*)" | rex field=message "^(?&lt;message_type&gt;[^:]+):\s" | eval message_type_ns=replace(message_type, " ", "") | eval x_message_type=if(message_type == message_type_ns, message_type, "No message type") | stats count by message_type, message_type_ns, x_message_type</LI-CODE><P>That doesn't appear to be working correctly.&nbsp; I'm always getting either all true or all false.&nbsp; This is the output.</P><LI-CODE lang="markup">"message_type","message_type_ns","x_message_type",count " ActionLogMessage",ActionLogMessage,"No message type",240 " ActiveDirectory",ActiveDirectory,"No message type",128 " Client has an AuthenticationCertificate Relay selected",ClienthasanAuthenticationCertificateRelayselected,"No message type",2 " Client shutdown (Service manager shutdown request) ******************************************** Current Date","Clientshutdown(Servicemanagershutdownrequest)********************************************CurrentDate","No message type",3 " Encryption",Encryption,"No message type",11 " Initializing Site",InitializingSite,"No message type",43 " PollForCommands",PollForCommands,"No message type",13 " Processing fixlet site. ******************************************** Current Date","Processingfixletsite.********************************************CurrentDate","No message type",1 " RegisterOnce",RegisterOnce,"No message type",149 " Report posted successfully ******************************************** Current Date","Reportpostedsuccessfully********************************************CurrentDate","No message type",1 " Restricted mode Initializing Site",RestrictedmodeInitializingSite,"No message type",3 " User interface process disabled for user 'user' ActiveDirectory","Userinterfaceprocessdisabledforuser'user'ActiveDirectory","No message type",1 " User interface process disabled for user 'user' ActiveDirectory","Userinterfaceprocessdisabledforuser'user'ActiveDirectory","No message type",1 " User interface session ended for user 'user' User interface session ended for user 'user' ******************************************** Current Date","Userinterfacesessionendedforuser'user'Userinterfacesessionendedforuser'user'********************************************CurrentDate","No message type",1 " User interface session ended for user 'user' ActiveDirectory","Userinterfacesessionendedforuser'user'ActiveDirectory","No message type",1 " User interface session ended for user 'user' ******************************************** Current Date","Userinterfacesessionendedforuser'user'********************************************CurrentDate","No message type",1</LI-CODE><P>When I try this simple case, it works.</P><LI-CODE lang="markup">| makeresults | eval string_a="Client shutdown (Service manager shutdown request) ******************************************** Current Date" | eval string_b="Client_shutdown_(Service_manager_shutdown_request)_********************************************_Current_Date" | eval my_string=if(string_a == string_b, string_a, string_b)</LI-CODE><P>And the output</P><LI-CODE lang="markup">_time my_string string_a string_b 2023-12-07 10:14:17 Client_shutdown_(Service_manager_shutdown_request)_********************************************_Current_Date Client shutdown (Service manager shutdown request) ******************************************** Current Date Client_shutdown_(Service_manager_shutdown_request)_********************************************_Current_Date</LI-CODE><P>What I'm trying to do is find these</P><LI-CODE lang="markup">At 09:01:45 -0800 - Encryption: optional encryption with no certificate; reports in cleartext</LI-CODE><P>The above would have message_type=Encryption.&nbsp; This example</P><LI-CODE lang="markup">At 09:00:39 -0800 - Starting client version xx.yy.zz.aa FIPS mode disabled by default. Cryptographic module initialized successfully. Using crypto library libBEScrypto - OpenSSL</LI-CODE><P>would have message_type="No message type".&nbsp; I've tried using colon (:), but there are messages with embedded colons.&nbsp; Any thoughts on how to solve this are appreciated.</P><P>TIA,</P><P>Joe</P> Thu, 07 Dec 2023 21:50:55 GMT https://community.splunk.com/t5/Splunk-Search/String-comparison/m-p/671195#M230032 jwhughes58 2023-12-07T21:50:55Z https://community.splunk.com/t5/Splunk-Search/String-comparison/m-p/671202#M230033 <P>From your SPL, it looks like you're trying to access the first line after At as the message type</P><P>Have you tried extracting Message type with</P><LI-CODE lang="markup">| rex field=_raw "(?s)At \d+:\d+:\d+\s+-0800\s+-..\s+(?&lt;message_type&gt;\w+):"</LI-CODE><P>where the .. will match the line feed (you may only need a single dot, depends on the data.</P><P>&nbsp;</P> Thu, 07 Dec 2023 23:55:10 GMT https://community.splunk.com/t5/Splunk-Search/String-comparison/m-p/671202#M230033 bowesmana 2023-12-07T23:55:10Z