Hi, i use regex to extract fields My query is | rex field=_raw "(?P<Command>((?<=\bCommand>).*(?=<)))" | rex field=_raw "(?P<Arguments>((?<=\bArguments>).*(?=<)))" |table Task_Name, ComputerName,Command,_time,Arguments |dedup Task_Name, ComputerName,Command,_time,Arguments How can i return results if Arguments field is not exist? For example: ...some xml log.... <Command>C:\Windows\System32\wevtutil.exe</Command> <Arguments>sl Microsoft-Windows-PrintService/Operational /e:true</Arguments> ...some xml log.... Is Ok And ...some xml log.... <Command>C:\Windows\System32\wevtutil.exe</Command> ...some xml log.... Is not OK.
... View more