@dsmeerkat  yes, I assumed these were separate rows, but if this is one big _raw event, then use the max_match=0 param with rex that will make a multi value field with all the found matches of the regex. Here is an example with your data as a single event | makeresults | eval _raw="Name: BES Client, Running as: LocalSystem, Path: \"\"C:\Program Files (x86)\BigFix Enterprise\BES Client\BESClient.exe\"\", SHA1: 5bf0d29324081f2f830f7e66bba7aa5cb1c46047 Name: BESClientHelper, Running as: LocalSystem, Path: \"\"C:\Program Files (x86)\BigFix Enterprise\BES Client\BESClientHelper.exe\"\", SHA1: c989ae2278a9f8d6d5c5ca90fca6a57d19b168b8 Name: svchost.exe, PID: 424, PPID: 432, ( Started up: Mon, 19 Sep 2022 03:41:57 -0700 ), Running as: NT AUTHORITY\LOCAL SERVICE, Path: C:\Windows\System32\svchost.exe, SHA1: 3196f45b269a614a3926efc032fc9d75017f27e8 Name: scsrvc.exe, PID: 1384, PPID: 432, ( Started up: Mon, 19 Sep 2022 03:42:34 -0700 ), Running as: NT AUTHORITY\SYSTEM, Path: C:\Program Files\McAfee\Solidcore\scsrvc.exe, SHA1: ef1cc70f3e052a6c480ac2fe8cdfe21a502669cc" | rex max_match=0 "Name: (?<process>[^,]*), Running" ... View more

You may want to add other characters like - and _ to the regex. This is primitive and just catching the word and . characters on either side of the @ and assumes your url is delimited with other special chars like = from your examples | makeresults | eval foo="macplatform.wondershare.com/interface.php?m=co&client_sign={CD1AABB2-586E-55A5-A891-877563550973}∏uct_id=735&version=10.3.2&email=Christopher.Nobody@somedomain.com⟨=en_us&type=0&cc=92445606E83D64D283AD3A5EF2A9869E∫erface_version=1.1 link.defensenews.com/manage/5ba/preferences-center?email=moe.nobody@domain.org www2.criver.com/form/checkEmailAjax/account_id/60962/form_field_id/129003/tracker_id/278458707/field_id/60962_129003pi_60962_129003?param=Edward.Nobody2@some.com login.yahoo.com/account/comm-channel/refresh?display=login&.intl=us∫l=us&.lang=en-US&src=finance&.src=finance&login=kimberly.nobody@somewhere.gov&tn=arinfo_review&context=spreg_cc&. www.borisfx.com/BCCAVXActivation.php?UPID=MCHITNB-ADRELHQ-OSJZBFU-VYIQAAM&email=ronald.nobody@blahblah.com&firstname=Ron&lastname=nobody∁anyname www.idevmail.net/unsubscribe.aspx?d=94&m=1319&e=jill.nobody2@domain.net"; | makemv foo delim=" " | mvexpand foo | rex field=foo "(?<email>[\w\.]+@[\w\.]+)" | table foo email ... View more

The replace command should work: | eval Scanned=replace(Scanned,"^20|=20"," ") ... View more

Hi dsmeerkat, I should try to extract a filed with result of login, the add this field to starts and then use this field to filter, something like this: index=blah sourcetype=unix action=failure | lookup approved_server_ips ip as src OUTPUT filter | search filter=0 | eval Local_1=split(upper(user),"\\") | eval Local_Account_Name=if(isnull(mvindex(Local_1,1)),user,mvindex(Local_1,1)) | rename src as Source_Device_IP, Local_Account_Name as Failed_Account_Name | rex "(?<Result>Failed|Success)" | stats values(Result) AS Result count by index,Failed_Account_Name,Source_Device_IP,host | where count>4 | sort by -count | search Result=Failed Result=Success | head $Local_alert_count$ (verify regex). Bye. Giuseppe ... View more

Don't forget to click Accept on the best answer (for you) and upvote anything else that was helpful. ... View more

Yes and yes. ... View more

index=_internal source=*license_usage.log type=Usage | eval GB=b/1024/1024/1024 | timechart span=1d sum(GB) by pool useother=false |convert ctime(_time) AS Time | tscollect namespace=License_Daily_Usage_7d keepresults=true | tstats sum(GB) AS Total, values(Total), values(Date) FROM License_Daily_Usage_7d groupby Date | rename values(Total) AS Total_GB | convert timeformat="%a, %m/%d/%y" ctime(_time) AS Date | sort _time | fields - _time | eval MyDate=strptime(Date,"%a, %m/%d/%y") | sort MyDate | convert timeformat="%a, %m/%d/%y" ctime(_time) AS Date| table Date, Total_GB Works like a charm! ... View more

NICE!!! Thanks very much! ... View more