Try this approach. Begin by reading one lookup file and marking the entries as "file1".  Then read in the other lookup file and mark the entries as "file2".  Rename the main column to match the first lookup.  Use the stats command to merge the two result sets together, counting them by Serial Number.  Any entry with a count less than 2 means one of the lookups was missing that value.  The "file1" or "file2" mark will tell you which file has the value so it must be missing from the other one. | inputlookup file1 | eval src="file1" | append [ | inputlookup file2 | eval src="file2" | rename "System Serial Number" as "Serial Number" ] | stats count, values(*) as * by 'Serial Number' | where count < 2 | table "Serial Number" src   ... View more

Maybe back to the beginning.  Let's test with _raw. | rex "Computer SerialNumber\s*:\s*(?<SerialNumber>.+)" Note: I see a space between the string "SerialNumber" and the colon in your data illustration, but my previous code didn't address that.  That was my omission.  This one handles common variants vendors might print their data.  If space handling is the problem, you can add back field restriction. ... View more

Can you explain the frustration you had when trying to extract?  Assuming that pluginText is already extracted into a field, you can do something like | spath input=pluginText ``` this gives you a field plugin_output ``` | rex field=plugin_output "Computer SerialNumber: (?<serialNumber>.+)" Alternatively, extract all key-value pairs from plugin_output using | spath input=pluginText ``` this gives you a field plugin_output ``` | rename _raw AS saved_raw, plugin_output AS _raw | kv kvdelim=" : " | rename saved_raw as _raw   ... View more