Sorry for the confusing and here is the detail:
Search: index=index1 | table eventdata Current output: eventdata <Type> View </Type> <Action> Edit </Action> <Source> Server Name </Source>
Wow, I see where it causes confusing. The tags were removed from my original post. That makes both current and desired outputs the same.
The current output has smaller and greater signs at beginning and these signs with at the end.
It got eaten again. Re-edit your original question, highlight the stuff that is getting changed and then click the
101010 button to make it a code fragment that will not get modified.
You said the same thing 3 times the same way and it doesn't make sense. Draw us a picture and stop using words. Show us the data before and the data after. We are not following what you mean, especially your strange use of the term
rex command may be what you are looking for. The example below will extract what is between
< into a field called 'field'.
... | rex "\<[^>]+>\s*(?<field>[^\<]+)\<"