Hi With your example this seems to work. index=_internal
| head 1
| eval _raw = "Multiple 'access denied' events detected with protocol smb (at least 41 failed attempts in 15 seconds). Last usernames used in login requests are: 'NA\HXXX6LBDBMCXT2$', 'NA\RKXXXEDE', 'UPSTREAM\dXXXcline', 'ULAB\l3xxxxcli'. Last path trying to access FA Labs\XXXM\Lumisizer\08-xx-2020_1201 A-D, 1201 A2-D2 - Copy\1201 C.xlsx"
| rename COMMENT AS "previous set example data, next do the regex"
| rex max_match=0 "Last usernames used in login requests are:\s(?<NamesAll>[^\.]+)"
| rex max_match=0 field=NamesAll "([',\s\.])+(?<Names>[^']+)" r. Ismo
... View more