Let me preface by saying I don't have a lot of experience with Splunk. I've found some other posts on the forum here that seem to address my issue, but the queries are too complicated for me to fully understand at the moment.

I have an in house program that we've just hooked up to Splunk. It generates different error messages that I'd like to display on a stacked graph, so we can see how often we get each error.

I can get a simple line chart with a query like this:

sourcetype="myprogram" host="myserver" | regex _raw="Unable to create record (SITE1|SITE2):\d+" | timechart count

...which shows me the number occurrences each day of that error on my chart.

But there are a few other error messages I need to include, such as these:

Error while starting VM (SITE1|SITE2):\d+
Error obtaining VM details (SITE1|SITE2):\d+
etc

I was trying to extract these various messages into fields, but the IFX wasn't picking up the examples I fed it, and when I tried to edit the regular expression manually like this:

(?i)1f (?P<FIELDNAME>Unable to create record)\s+\w+:

It would only match a single result though, as opposed to matching all occurrences. I'm not entirely sure if that's the approach I need to be taking though, as these values aren't really a "field" - they won't appear in every log message.

I'm not sure what to try next. Can anyone guide me as to where I need to look to do this?