@niketnilay its worked. but i want from workflow name also. how to get it.

other rows doesn't have word workflow which we are looking. so if that row doesnt have word workflow. i want dont want that row to have other text . i want as empty or NA. pls help

Is following query what you need?

| rex field=_raw "\|Workflow: (?<Workflow>[^\|]+)\|"
| eval Workflow=case(searchmatch("|Workflow: "),"Workflow: ".Workflow, true(),"N/A")

| eval Workflow=case(searchmatch("|Workflow: "),"Workflow: ".Workflow, true(),"N/A")
this statement nt working

I tried following run anywhere search which worked fine. I just cooked up one event without Workflow:

|  makeresults
|  eval data="CCDSRiERRSTAFGRT||FUNC||u505||PA1RA2M||STCK|Workflow: threat call workplace||ATdT|||AC1CSED;CCDSRiERRSTAFGRT||FUNC||u505||PA1RA2M||STCK| threat call workplace||ATdT|||AC1CSED;CCDSRiERRSTAFGRT||FUNC||u505||PA1RA2M||STCK|Workflow: workplace management||ATdT|||AC1CSED"
|  eval data=split(data,";")
|  mvexpand data
|  rename data as _raw
|  rex field=_raw "\|Workflow: (?<Workflow>[^\|]+)\|"
|  eval Workflow=case(searchmatch("|Workflow: "),"Workflow: ".Workflow, true(),"N/A")

@premranjithj, can you add samples of rows without workflow.

What is STCK? What kind of values can i have?

Or else can you confirm whether it is always the 9th pipe (|) that will have Workflow name? In that case you can use

| eval data=split(_raw,"|")
| eval workflow=mvindex(data,9)
| eval workflow=case(match(workflow,"Workflow"),workflow,"N/A")

In fact you should take care of this while ingesting the data and index it with Delimited String (Pipe Separated Value) so that all fields are already extracted during search time field discovery.

hi @niketnilay it will not be always be 9th pipe that will have workflow.

@premranjithj, then you would definitely need to add more samples. Even for regular expression you would need to know before or after pattern.

For using delimeter you would need to know which position/s it might be present.

So, besides above one more question: will workflow always have name Workflow in it?

Since you own the data, you will have to tell us the pattern/s of data so that we can help you with regex. Unfortunately it can not be the other way around. Hope you understand.

yes always workflow will have the same name and only one time its present
so we have to keep workflow as base to find

As requested can you add few samples or events without Workflow as well?

I have added an updated query to prefix "Workflow: " for workflow or set as "N/A" otherwise. Please try out and confirm.

below are the samples
DOSTART||TECH||()--()||Error while other 'sequence', set 'sink' at step 'SWIfkdslTCH ON ?'.() -- Method 'help' of answered 'O

An occurred in service 'sequence' Order failed (incifdffdsdent is on time to check()

An err occurred in service |TECH|PARs||STCK|Workflow: automated||promots|physical