Thanks bwooden that works perfect.
Here is my sample for anybody else who is looking for more help.
source=general $env$ $tier$ $srctype$ $leveltok$ (exception=* OR message=* )
| eval level = if(isnotnull(level), level, "Not specified")
|stats count by exception message level sourcetype
| sort - count
| table exception message level sourcetype count
| eval exception=if(len(exception)>100,substr(exception,1,90)+"...",exception)
| eval message=if(len(message)>100,substr(message,1,90)+"...",message)
| eval earliest =$selection.earliest$
| eval latest=$selection.latest$
