Thanks for your response. I tried your search and I'm getting the following error

Error in 'eval' command: The expression is malformed. Expected ).

I'm not sure where the missing ( is

Can you refresh the page and try again? The first time I pasted it, I had a typo. I am looking at the command now, and I am not seeing a missing )

Just found a missing comma though!
Now fixed!

Yes your search works now!

The only thing now is that its combining all the OrderMessages and not sorting them by type. Also the Y-axis and legend was titled "No Match"

Sounds like your match functions are not matching the data then - or perhaps the rex command is not working as you expect. I would run

index="uvtrans" "<a:OrderMessage>*</a:OrderMessage>" 
  NOT "<a:OrderMessage>OK</a:OrderMessage>" 
  | rex "\<a:OrderMessage\>(?P<Phrase>.*?)\</a:OrderMessage\>" 
  | eval newPhrase=case(
      match(Phrase,"Missed Delivery cut-off, Redated to"),
             "Missed Delivery cut-off, Redated to <<Date>>",
      match(Phrase,"Existing account, Changed phone from "),
             "Existing account, Changed phone from <<PhoneNumber>> to <<PhoneNumber>>",
      match(Phrase, "Customer Master flagged as HLD."), 
              "Flagged as HLD",
      match(Phrase,"Customer Master flagged as FRD."),
              "Flagged as FRD",
     1==1,"No match")
  | table Phrase newPhrase _raw

To get a better idea of what is happening. I also just found a typo in the rex command!

It's the same question with a different approach. I'm not sure if it's possible to make regex which will return what I was looking for. The search above returns 75% of what I'm looking for using match/case

Try posting a longer list of real data to test against. If it is really as simple as you say, just extracting one of four strings before a set of numbers, regex absolutely can do all of this, in one rex command even

Could you help getting this last value working for the match/case? I feel like I'm very close to getting this working and believe this way will be faster than redacting sensitive information and sharing info to test against

match(Phrase,"Customer Master flagged as FRD.")

The string in double quotes is treated as regular expression. So avoid using dots and if possible copy the exact string from your logs.

Took out all the periods in double quotes and still no luck..

Well no one will know what you're doing wrong until you post sample data, because your last match is the same as your third match except for the letters FRD and HLD. No one wants your sensitive information, it just makes answering the question easier when there is data to validate a potential answer against.

Try searching through your data and see if the the string "Customer Master flagged as FRD." is truly the correct value to match against the phrase.

I currently have 12 values (YTD) that have "Pulled ship date of 04/10/15 on Express because Customer Master flagged as HLD.

I have 1 value (YTD) "Pulled ship date of 02/25/15 on Express because Customer Master flagged as FRD"

My last match has a case value of match(Phrase,"Customer Master flagged as FRD."),"Flagged as FRD")so intuition tells me that it should work. Do you see anything wrong with how I have it set up? Thanks for the help so far