Hi @GRC , Please see my query below (based on your data): | makeresults count=2 | streamstats count | eval _raw=if(count=1,"Dec 14 20:31:05 abc-05-hiddencam MSWinEventLog#0111#011System#011622650#011Tue Dec 14 20:31:05 2021#0117036#011Service Control Manager#011N/A#011N/A#011Information#011abc-05-hiddencam#011None#011#011The Google Update Service (gupdate) service entered the stopped state.#01176625","Dec 13 09:03:18 abc-05-hiddencam MSWinEventLog#0111#011Security#011620683#011Mon Dec 13 09:03:16 2021#0114634#011Microsoft-Windows-Security-Auditing#011abc-05-hiddencam\Alis#011N/A#011Success Audit#011abc-05-hiddencam#011Logoff#011#011An account was logged off. Subject: Security ID: S-1-5-21-193828115-2933347444-2245271187-1049 Account Name: Alis Account Domain: abc-05-hiddencam Logon ID: 0x8ac469ffa Logon Type: 10 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.#011304150") | rex field=_raw "(?<Date>\w{3}\s+\d+ \d+:\d+:\d+)\s(?<hostname>\w+-\d+-\w+).*(?<status>service\s\w+\s\w+\s\w+\s\w+)" | rex field=_raw "(?<Date>\w{3}\s+\d+ \d+:\d+:\d+)\s(?<hostname>\w+-\w+-\w+).+Audit\S+\s\w+\s\w+\s(?<status>.+).\s\s\s\sSub.+Account\sName\S+\s+(?<user>\w+).+" | eval "Hidden Cam Monitoring" = Date + " : " + hostname + " " + status + if(isnotnull(user)," "+user,"") | table "Hidden Cam Monitoring" If you'll notice, I've added an if clause to the eval function. The reason is that when trying to eval a field based on a filed that doesn't exist in the data, the eval will fail and you'll end up with empty field.
... View more