I usually do that using a case expression.
spath "log.message"
| search "log.message"="REQ_TRACK_ID_MISSING*" OR "log.message" ="DESERIALIZATION_EXCEPTION*" OR "log.message" = "SERIALIZATION_EXCEPTION*"
| eval logMessage = case(match("log.message","REQ_TRACK_ID_MISSING.*"), "REQ_TRACK_ID_MISSING", match("log.message", "DESERIALIZATION_EXCEPTION.*"), "DESERIALIZATION_EXCEPTION", match("log.message", "SERIALIZATION_EXCEPTION.*"), "SERIALIZATION_EXCEPTION", 1=1, "log.message")
---
If this reply helps you, Karma would be appreciated.
