from sample_data_str,app_logs,fi* | sort service_id, client_ip DESC, destination.IP NULLS FIRST | eval xJRwHRezpds = -1299206307, ZuPpUkXhu = -1360937430036226416, `source.IP` = \"IizPcFyV\" | keep xJRwHRezpds, `source.IP` | rename `source.IP` AS `dVxoyvSH`| rename dVxoyvSH as message | lookup join message_types_lookup on message | drop xJRwHRezpds, *Rezpds | mv_expand message | dissect message \"%{RQZzvsuaWfI}\" | rename RQZzvsuaWfI AS `message`, `message` AS FJaUmggBPj | dissect FJaUmggBPj \"%{FJaUmggBPj} %{FJaUmggBPj}\" | rename FJaUmggBPj AS `FvgUVtLZjcGv` | grok FvgUVtLZjcGv \"%{WORD:FvgUVtLZjcGv}\" | eval DRfKHTdnx = 1146940792054680116, FvgUVtLZjcGv = null | keep * 

... "columns": [ { "name": "type", "type": "keyword" }, { "name": "DRfKHTdnx", "type": "long" }, { "name": "FvgUVtLZjcGv", "type": "null" } ], ... 

from sample_data_str,app_logs,fi* | sort service_id, client_ip DESC, destination.IP NULLS FIRST | eval xJRwHRezpds = -1299206307, ZuPpUkXhu = -1360937430036226416, `source.IP` = \"IizPcFyV\" | keep xJRwHRezpds, `source.IP` | rename `source.IP` AS `dVxoyvSH`| rename dVxoyvSH as message | lookup join message_types_lookup on message | drop xJRwHRezpds, *Rezpds | mv_expand message | dissect message \"%{RQZzvsuaWfI}\" | rename RQZzvsuaWfI AS `message`, `message` AS FJaUmggBPj | dissect FJaUmggBPj \"%{FJaUmggBPj} %{FJaUmggBPj}\" | rename FJaUmggBPj AS `FvgUVtLZjcGv` | grok FvgUVtLZjcGv \"%{WORD:FvgUVtLZjcGv}\" | eval DRfKHTdnx = 1146940792054680116, FvgUVtLZjcGv = null 

... "columns": [ { "name": "DRfKHTdnx", "type": "long" }, { "name": "FvgUVtLZjcGv", "type": "null" } ], ...