The values I need are located in the field "msg". Each msg contains 3 records. I run this query and get the result as below,   index=summary | search msg="*blablabla*" | rex max_match=3 "Type=(?<Type>.+?)\," | rex max_match=3 "Restaurant=(?<Restaurant>.+?)\," | rex max_match=3 "Date=(?<Date>.+?)\," | rex max_match=3 "status=(?<status>.+?)\," | table Date, Restaurant, Type, status   Date Restaurant Type Status 2021-03-10 2022-01-04 2021-05-01 Domino SOUTHERN RESTAURANTS TRUST MCDONALD'S A B A NEW USED USED 2021-03-11 2021-03-12 2022-02-05 KFC Domino MCDONALD'S C B A NEW NEW USED 2021-03-11 2021-12-20 2021-05-09 Rooster CYREN BAR MCDONALD'S A A B NEW USED USED 2021-03-12 2021-12-18 2021-06-22 Helo KFC MCDONALD'S A A B NEW USED USED 2021-03-12 2022-01-05 2022-01-14 KFC MCDONALD'S MCDONALD'S A A B   The question is, how can I make each record separated? I would like to use query "where restaurant=KFC" to look for specific restaurant.   ... View more

I run this query to extract all IP address from the events. There are multi ip based on one event. index=* | rex max_match=0 field=_raw "(?<ipaddr>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" | dedup ipaddr | table _time, ipaddr   The result is as below, My question is, how to exclude private IP from the the result? Thanks! ... View more