This is a typical event. 

account_lookup__level=|||| 
account_lookup__has_contacts_id=true 
account_lookup__premium=false 
account_lookup__intent_pred=buy_product
account_lookup__intent_pred_score=0.66920596
account_lookup__intent_pred_utterance=buy a product
account_lookup__is_accountant=false 
account_lookup__product_family=PAYMENTS 
account_lookup__product_name=Cash product
account_lookup__score_success=true 
account_lookup__success=true

 And here's my table query

| table account_lookup__product_name _time

Which shows as 

Cash | 2022-05-09 14:23:29

| rex "account_lookup__product_name=(?<account_lookup__product_name>.*)"

I'm still having some trouble.  Here's my current query. 

| rename account_lookup__product_name as product
| table product
| rex "product=(?<product>.*)"

 I've tried moving the rex command before the table, but then the entire event log shows in the table.

I also tried doing this without the rename parameter, but it said the rex name is too long. (The actual field name is much longer than what I'm showing here - I omitted some words for security purposes.)

Regex: subpattern name is too long (maximum 32 characters).

This query seems like it's the best version so far. The product name shows as the first phrase in every line in the table, but the rest of the event is showing after the product name. I think I need to specific a word count or something.

| eval account_lookup__product_name = product_name
| rex "product_name=(?<product_name>.*)"
| table product_name

Here's one line from the table:

Cash product account_lookup__product_name__product_score=0.4215 account_lookup__product_name__score_success=true account_lookup__product_name__success=true