I have a dashboard that is built from 3 different searches. They all come from the same data so I would like to turn them into a base search for the page. However, each one of them has a different regex to pull out a field and I can't figure out how to combine them without losing those fields.
These are my current searches:
index=foo source=bar host=PRD* CIWEB AND Error
| rex field=_raw "CIWEB\.(?.*?Plugin)"
| timechart span=1h count(PluginName) by PluginName
index=foo source=bar host=PRD* CIWEB AND Error
| rex field=_raw "\sE\_(?.*?):"
| timechart span=1h count(ErrorType) by ErrorType
index=foo source=bar host=PRD* CIWEB AND Error
| rex field=_raw "\.(?\w*?Exception)"
| timechart span=1h count(ExceptionName) by ExceptionName
↧
