@gcusello  I need a result output as below:

ServiceName: Paypal
Error_Message: Declined payment
OrderNumber: GGTHLL
ResponseTime: 500
Reason: User not registered

Hi @uagraw01,

I replicated the output you indicated,

to have both the field name in a column and the value in another column you have to use the same search without the last row:

<your_search>
| rex field=_raw "Site\|\_\_SYSTEM\__(?<ServiceName>[A-Za-z]+)"
| rex field=_raw "Message\s\=\s(?<Error_Message>.+\:\s[A-Za-z0-9]+)"
| rex field=_raw "failed:\s(?<OrderNumber>[A-Za-z0-9]+)"
| rex field=_raw "httpStatusCode\s\=\s(?<ResponseTime>[0-9]+)"
| rex field=_raw "ResponseTime\s\=\s(?<Reason>.+)"
| table ServiceName Error_Message OrderNumber ResponseTime Reason
| transpose 5 
| rename "row 1" AS Value 

 If instead you want "<fieldname>: >fieldvalue>", you have to use a similar search:

<your_search>
| rex field=_raw "Site\|\_\_SYSTEM\__(?<ServiceName>[A-Za-z]+)"
| rex field=_raw "Message\s\=\s(?<Error_Message>.+\:\s[A-Za-z0-9]+)"
| rex field=_raw "failed:\s(?<OrderNumber>[A-Za-z0-9]+)"
| rex field=_raw "httpStatusCode\s\=\s(?<ResponseTime>[0-9]+)"
| rex field=_raw "ResponseTime\s\=\s(?<Reason>.+)"
| eval 
   ServiceName="ServiceName: ".ServiceName,
   Error_Message="Error_Message: ".Error_Message,
   OrderNumber="OrderNumber: ".OrderNumber,
   ResponseTime="ResponseTime: ".ResponseTime,
   Reason="Reason: ".Reason
| table ServiceName Error_Message OrderNumber ResponseTime Reason
| transpose 5 
| rename "row 1" AS Value 
| table Value

Ciao.

Giuseppe

@gcusello I tried some workarounds. And I succeed what I want to achieve, that is highlighted in the yellow.

Hi @uagraw01,

good for you, but this is a different output than the one you shared.

why my solution doesn't work for you, what's the problem?

tell me if you need more help, otherwise, please accept one answer for the other people of Community.

Ciao.

Giuseppe

P.S.: Karma Points are appreciated 😉