Hi,
try this
| multisearch [search index=websphere CPUStarvation
| rex "delay is\s+(?P<Value>\d+)\s+seconds"
| eval Value=Value . " Seconds"
| eval AlertName = "APM WAS: CPU Starvation detected"
| eval Severity="Critical"
| eval Details = "APM WAS: Error HMGR0152W. Value Field represent thread scheduling delay"
| table AlertName,Details,Severity,Value,host
| collect index=alerts sourcetype=Alerts:APM
]
[search index=websphere OutOfMemoryError
| rex mode=sed field=_raw "s/\n.*//g"
| rex mode=sed field=_raw "s/^\[.*PDT\]\s+.{8}\s+//g"
| eval ts=round(_time,0)
| stats count as Value list(_raw) as msg by ts,host
| convert ctime(ts) as dt
| eval AlertName = "APM WAS: OutOfMemoryError"
| eval Severity="Critical"
| eval Details = "OutOfMemoryError"
| table AlertName,Details,Severity,Value,host
| collect index=alerts sourcetype=Alerts:APM
]
[search index=websphere HangingThreat
| rex "active for\s+(?P<Value>\d+)\s+milliseconds.*are\s+(?P<threads>\d+)\s+thread"
| eval Value=round(Value/1000,2)
| eval Value=Value . " Sec"
| eval AlertName = "APM WAS: WAS Hanging Threads"
| eval Severity="Critical"
| eval Details = "APM WAS: Error WSVR0605W (".threads." Threads hang). Field 'Value' represent thread activity time"
| table AlertName,Details,Severity,Value,host
| collect index=alerts sourcetype=Alerts:APM
]
... View more