I need to extract a string from a message body,  and make a new field for it.   <Junk_Message> #body | Thing1 | Stuff2  | meh4 | so on 1 | extra stuff3 | Blah4 </Junk_Message> I just need the text that start with #body and end with Blah4. To make things more fun everything after #body generates randomly.

Here is what I am attempting to write SPL to show.  I will have users logged into several hosts all using a web application.  I want to see the last (most recent) activity performed for each user logged in. Here is what I have so far:  index=anIndex sourcetype=aSourcetype | rex field=_raw "^(?:[^,\n]*,){2}(?P<aLoginID>[^,]+)" | rex field=_raw "^\w+\s+\d+_\w+_\w+\s+:\s+\w+\.\w+\.\w+\.\w+\.\w+\.\w+\.\w+\.\w+,(?P<anAction>\w+)" | search aLoginID!=null | stats max(_time) AS lastAttempt BY host aLoginID | eval aTime = strftime(lastAttempt, "%Y-%m-%d %H:%M:%S %p ") | sort -aTime | table host aLoginID aTime | rename host AS "Host", aLoginID AS "User ID", aTime AS "User Last Activity Time" I am getting my data as expected by host aLoginID but want to only see the most recent anAction ? When I add in my BY clause host aLoginID anAction I start seeing the userID repeated in my results as I would expect as each anAction "name" is different but I am only seeing one row for each anAction name. I think I am on the right 'path' but I want to only see 1 row for each user not 1 row for each userID & action ?

I am trying to generate three reports with stats. The first is where jedi and sith have matching columns. The third is where jedi and sith do not match. Example: index=jedi | table saber_color, Jname, strengths index-=sith | table saber_color, Sname, strengths I need to list where Jname=Sname The third one is where the Jname!=Sname  The caveat is I cannot use the join for this query. Any good ideas?