This looks easy but I couldn't figure it out. Any help is appreciated. How to extract user email from raw message and assign to a field? For example, here is my event message message: SpeciaService: Received  Status for xxxxxxx Message=xxx(timeStamp=xxxx, job=1234(super=xxxx(id=1376, userId=xxxxx@xxxx.com , status = success) I want to generate a table with userId and status fields  generated from event logs that matches 'SpeciaService' events I tried below, it didn't work index=xxxx-* SERVICE="xxx-service" | rex field=SpeciaService: Exception "\S* (?<userId>\S*)"  |eval status = if(exception, error:success )| table userId, status ... View more