@andres91302 

How you do this depends on where you want the Class field to live.

To set Class at search time using SPL:

| eval Class=if(match(_raw, "(?i)(hospital|care)"), "Important", "Not important")

To set Class at search time using props.conf:

[my_sourcetype]
EVAL-Class = if(match(_raw, "(?i)(hospital|care)"), "Important", "Not important")

This assumes your mail log has a source type named my_sourcetype. Replace this with the name of your source type.

To set Class at index time using props.conf, transforms.conf, and fields.conf:

# props.conf
[my_sourcetype]
TRANSFORMS = my_sourcetype-Class

# transforms.conf
[my_sourcetype-Class]
INGEST_EVAL = Class=if(match(_raw, "(?i)(hospital|care)"), "Important", "Not important")

# fields.conf
[Class]
INDEXED = true

For search time extractions, props.conf would be copied to your search head.

For index time extractions, props.conf and transforms.conf would be copied to your heavy forwarder or indexer and fields.conf would be copied to your search head.

The benefit to index time extraction is including the value of Class in the time series index of the bucket; however, you can achieve similar performance at search time by including search terms:

```Important```
sourcetype=my_sourcetype (hospital OR care)
| eval Class="Important"

```Not important```
sourcetype=my_sourcetype NOT (hospital OR care)
| eval Class="Not important"

Your preferred solution depends on your use cases.

For reference, I tested all options using the following dummy events:

Sat May 29 23:37:00 EDT 2021 Hello I need a hospital bed.
Sat May 29 23:38:00 EDT 2021 Hello I have a problem with access to care.
Sat May 29 23:39:00 EDT 2021 Hello I can I have a quote?
Sat May 29 23:40:00 EDT 2021 Hi can you help me find a provider?
Sat May 29 23:41:00 EDT 2021 Hello I have a question about a claim.

(It sounds like you're with a provider. I have a payer background....)