| rex max_match=2 "system:\s(?<system>[\S]+)"
| eval system1=mvindex(system,0)
| eval system2=mvindex(system,1)
| rex max_match=2 "system:\s(?<system>[\S]+)"
| eval system1=mvindex(system,0)
| eval system2=mvindex(system,1)
Logs in one event are:
user: user1
system: system1
user:user2
system: system2
output should look like below:
output1 output2
system1 system2
I tried as you suggested. Not returning any values.
Can you share the raw events in a code block </>
Its working now. Made a slight change from your command. Not sure it its appropriate or not. is there any way we can compare these two values or same or not (if system1=system2)
| rex max_match=2 "system:\s(?<system>[\S]+)"
| eval system1=mvindex(system,-1)
| eval system2=mvindex(system,0)