Hi lguinn,
Thanks for your answer. I tried FIELDALIAS already but as you mentioned, it created Alias for all the events. But I was able to find the solution. Rather that creating an alias, I created an Extraction result with multiline regex
EXTRACT-test = (?ms)EventCode=1234.*Group:[\r\n]+(?:\t[^\r\n]+[\r\n]+)\t+Account\sName:\s+(? [^\r\n]+)
This worked for me. I found this in one of the threads in splunk-base. Thanks again for your reply.
... View more