[change management transactions]
search = eventtype=cisco_ios host="$hostToken$" eventtype=cisco_ios-config_started OR eventtype="cisco_ios-cfglog_loggedcmd" | eval event_id=coalesce(event_id, strftime(_time, "%s%3Q")) | rex mode=sed field=event_id "s/(\d+)/0000000000000\1/" | rex mode=sed field=event_id "s/0*([0-9]{13})/\1/" | eval event_command=event_id + " " + command | transaction maxspan=15m host,user | rex field=event_command "(?<eid>\d+)\s(?<cmd>.+)" | eval cmd=if(isnull(cmd), "ARCHIVING NOT ENABLED ON THIS DEVICE", cmd) | table _time,host,config_source,user,line,src_ip,eid,cmd

[best practice deviations]
search = eventtype="cisco_ios-best_practice_deviations" | table host,facility,subfacility,mnemonic,message_text