We have a large number of alerts which extract data from nginx logs and ping under certain conditions. In each of these alerts we do an identical field regular expression extraction to break the log down into variables, e.g.:
rex field=_raw "\s(?\d\d\d)\s(?\d+(\.\d*)?|\.\d+)\s"
Is there a way to save and reuse this field extraction so I can use it in a number of alerts, or do I need to duplicate it in each one?
↧