It did not seem to work. But I tried it with _raw instead of Severity and it seemed to work. So I guess my field extraction did not work.

I tried it by selecting an event and then selecting the Severity but I get this massage:
The extraction failed. If you are extracting multiple fields, try removing one or more fields. Start with extractions that are embedded within longer text strings.

So I tried it using settings > Fields > new. But i guess the extraction is not working.

Any tips on how to get this working for the above Severity?

Edit:
The field extraction seemed to work with the following:
(?i)Severity= (?P"<"Severity">"(?:[^”]+))

Ok, so I get the outcome of the search. That's Good 🙂

As a check to see if I understand the search correctly.

The events that are part of the field Severity are being matched on all known fields.
If the 2 events have the same field present it returns a 1 and when a field is present on one event but not the other event it gets a 0. Right?

The way it works is that you are doing a left-join with field Severity such that only events that contain (a non-NULL value for) Severity are kept. The values(*) makes the join keep all fields from both events and if the fields are the same in each event (for a matching Severity) a multi-value field will be created. The number of distinctly different values for each field is captured with the dc(*); in your case, this will always be a 1 or a 2. The last stage iterates over every DC* field and if the value is >1 then this field is a mutli-value field which means one value came from each event so we keep it, otherwise we set the value to null and it disappears in the final results.