With regards to the regular expression - the first group should be non-greedy to prevent it from gobbling up too much. Here's my test query producing the desired result for the given examples: | gentimes start=-1 | eval temp="DATABASE-DTA-PRD#APACHE-SCM-PRD-TST#SERVERS-PRD" | table temp | makemv temp delim="#" | mvexpand temp | rename temp as _raw | rex field=_raw "(?<result>.*?)(?:-DTA-PRD|-PRD-TST|-TST|-DTA|-PRD)" | table _raw result If you are not anchoring the regular expression to the end with $ you shouldn't need the -PRD-TST and -DTA-PRD matches. Under the condition that the -SCM tag is always the first tag and that there is always at least one tag you might simplify the query a bit, e.g. | rex field=_raw "(?<result>.*?)(?:-DTA|-PRD|-TST)" Alternative 1 Using rex mode=sed would allow you to discard specific tags which also works if the tag order differs. | gentimes start=-1 | eval temp="DATABASE-DTA-PRD#APACHE-SCM-PRD-TST#SERVERS-PRD#APACHE-PRD-TST-SCM" | table temp | makemv temp delim="#" | mvexpand temp | rex field=temp mode=sed "s/-(PRD|TST|DTA)//g" | table temp Alternative 2: Now, if things turn really complicated the you could resort to using a lookup table full_fieldname,short_fieldname DATABASE-DTA-PRD,DATABASE APACHE-SCM-PRD-TST,APACHE-SCM APACHE-PRD-SCM-TST,APACHE-SCM SERVERS-PRD,SERVERS ... and use like: | eval full_fieldname=... | lookup name_translation full_fieldname OUTPUT short_fieldname | eval fieldname=if(isNull(short_fieldname), full_fieldname, short_fieldname) | stats count by fieldname All of these would work if you do the manipulation in the query, if you want to do this in props.conf this might not be the case. ... View more

The following should do the trick though producing the regular stats output format: ... | rex field=_raw "\{state,\"(?<state>\w*)" | stats count by state | sort -count or with timechart: ... | rex field=_raw "\{state,\"(?<state>\w*)" | timechart count by state ... View more

I am not sure if you want to return events with only public or only private IP addresses. How about index=<someindex> source=<somesource> " connected to 10\." to only get the private ones or index=<something> source=<somesource> "connected to " NOT "connected to 10\." to get the public ones. This will only look consider 10.x.x.x as private (not other ranges like 192.168.x.x etc) which might be sufficient for what you want. This should also be quick as it's filtering on the indexer. ... View more

The following eval clause might do the trick though it will result in field Logon being present with a blank value if neither phrase is found: eval Logon=case(match(_raw,"user logged on"), "yes", match(_raw,"user failed logon"),"no",1==1,"") As jrodman wrote this could be used as part of the search and should also work for creating a calculated field. Another approach would be using rex mode=sed to change the text: rex mode=sed field=_raw "s/user logged on/Logon=yes/" | rex mode=sed field=_raw "s/user failed logon/Logon=no/" You might need a kv or | rex field=_raw "Logon=(?<Logon>yes|no)" to pick up the name value pair. ... View more

The answer to this question is actually the same as for the field menu: this can be achieved using workflow actions. (Credits to bwooden) ... View more