Hello, I have some log messages like this, where various info is delimited by double-colons: {"@message":"[\"ERROR :: xService :: xService :: function :: user :: 6c548f2b-4c3c-4aab-8fde-c1a8d727af35 :: device1,device2 :: shared :: groupname :: tcp\"]","@timestamp":"2023-03-20T23:34:05.886Z","@fields":{"@origin":"/dir/stuff/things/and/more/goes/here/file.js:2109","@level":"info"}} I am trying to send a count per day of the 'function' shown above, and the issue is that it might appear at various block count when the message is split from ' :: ' - So, I am trying to match regex on the UUID and count 2 blocks backwards from there to get the 'function' as a reliable way to extract it.  I have observed the UUID appearing in blocks 5, 6, and 7, so this is an attempt at case for each and assigning a value to get the function. Am quite new to Splunk queries, but here is my stab at it.  Of course, it doesn't quite work: index=iap source="/dir/stuff/things/xService.log" "ERROR :: xService ::" | rex field=@message mode=sed "s/(\[\"|\"\])//g" | eval tmp = split('@message'," :: ") , check7 = mvindex(tmp,7), check6 = mvindex(tmp,6), check5 = mvindex(tmp,5) | eval target=case(match(check7,"\w+\-\w+\-\w+\-\w+\-\w+"),7,match(check6,"\w+\-\w+\-\w+\-\w+\-\w+"),6,match(check5,"\w+\-\w+\-\w+\-\w+\-\w+"),5) | eval function=case(match(target == 7, 5, target == 6, 6, target == 5, 5) | timechart span=1d count by function limit=0 ... View more