Hey everbody I have two different evens for the same file. I need to extract the latest values and concat it to one string. File: foo=bar foo1=bar1 foo2=bar2 foo3=bar3 Event 1: foo=new_bar foo1=new_bar1 Event 2: foo2=new_bar2 foo3=new_bar3 Search: index=MY_INDEX sourcetype=my:source | sort - _time | head 2 | rex field=_raw "foo1=(?(.))" | rex field=_raw "foo2=(?(.))" | table NEED1 NEED2 Output: NEED1 NEED2 "" or "none" new_bar1 "new_bar2" "" or "none" Expected string: new_bar2 new_bar3 Is it possible? Thanks for your help. ... View more