Not sure if I got your question correct. But you could for example use the fields that you created in a search. index="cts-test-app" source=*PERF*
| rex "DN: (?<ConsumingApp>.*?)[}\s]"
| rex field=_raw "GET\s\/(?<attemped>(Refid|SomeId))"
| search attempted AND "some string"
| stats count AS attemptedWithSomeString by ConsumingApp
| appendcols [
index="cts-test-app" source=*PERF*
| rex "DN: (?<ConsumingApp>.*?)[}\s]"
| rex field=_raw "GET\s\/(?<attemped>(Refid|SomeId))"
| search attempted AND "some other string"
| stats count AS attemptedWithSomeOtherString by ConsumingApp
] This is using a subsearch (appendcols) and I usually don't use/like it. Just the first idea I came up with, without knowing your data. (And maybe not knowing what you want as a result 🙂 ) Could you maybe share some example logs and the result you want to have from it?
... View more