I am trying to return several different error messages with one saved search / alert.
I can get all of them individually and I can get 3 of the 4 together, but when I try to add the one that uses a regex, it wants to apply the regex to everything or ignore it depending on the order.
The regex is being used because one of the errors is distinguished by having nothing after the string "java.lang.NullPointerException" while one of the others does have more after that string. I can't seem to use append or join or OR. I got it to at least not error using OR by putting brackets, but the results did not show as expected.
I'm sure there is a better way to do this?
index=prod source="/ep/logs/ep-cortex.log" sourcetype=c2b:cortex "java.lang.IndexOutOfBoundsException: Index: 0, Size: 0
OR "com.elasticpath.extensions.ws.service.WebServiceUtil - Errors returned from Tibco. Context: get customer match, Errors: [Arithmetic overflow error for data type tinyint, value =" OR [search sourcetype=c2b:cortex "java.lang.NullPointerException" |regex _raw="java.lang.NullPointerException$"]
at first I don't like to have a multi line string, maybe it's better to have more separated strings to have more possibilities to have results.
in addition, at the end of a subsearch you need to have the fields or the table commands to declare which are the fields used to search otherwise the subsearch returns all the fields that will be used in the search and usually hasn't results.
In addition I don't like to not declare index in subsearch. if runs is slower!
About the regex identify a minor regex e.g. the following