| makeresults
| eval msg="SHA: 829d93a28c73a03e832201de5159994, File: Time: 1537775701 details[File Analysis ] ; SHA: 68a4b235449a8c3cfc8ed, File: Guia-Deshaon-quicaTime: 1537780892 details[File Analysis ]"
| makemv delim=";" msg
| mvexpand msg
| rex field=msg "SHA:\s(?P<value>[^\,\"]+)\,\sFile:(?P<file>\s*[^\,\"]+)?Time:\s(\d+\.?\d*)\s(?:.*)"
| eval file = if('file'=" ","Null",'file')
This should give you two file values Null and Guia-Deshaon-quica
... View more