This method worked for me on an Windows Event log where "Account Name:" appears twice on every event and I only wanted the 2nd name, not the first. The only oddity unresolved was when one of the two names were null in the event. There might be a way to fix that. Other than that, it worked.     index=* host=*servername* password EventCode=4625 | rex field=Message "Account Name:\s+(?<ACCOUNT_NAME>[^\r\n]+)" max_match=0 | eval Account_Name_1=mvindex(Account_Name, 0) | eval Account_Name_2=mvindex(Account_Name, 1) | table DomainController, Account_Name_2 ... View more

Sorry for the inconvenience, our web team is aware and working on it. In the meantime, please try navigating to the URL using an incognito window and see if that allows you to circumvent the oddness. ... View more

Ended up having to convert one of my fields using the eval field=tostring(field1) to get the comparison to work in the end, but it worked as expected. Thanks. ... View more

@joshi_rajesh This question is almost 2 years old with an accepted answer so there's not likely to be many people looking at it. You should post a new question explaining the problem you wish to resolve. ... View more