I have some events that have `PROD*` in field names (e.g. `PROD error`, `Production warning`, etc.) Other events don't have `PROD*` in field names, e.g. they have `DEV error`, `Development warning`...
See more...
I have some events that have `PROD*` in field names (e.g. `PROD error`, `Production warning`, etc.) Other events don't have `PROD*` in field names, e.g. they have `DEV error`, `Development warning`, etc. The end goal is to build dashboard that will compare statistics across different envs, that's why I need data from other fields like `ERROR_CODE` It really does not make sense because the above kind of contradicts what is asked in the OP. A good way - in fact the very basic way to ask an answerable question is to illustrate your data with a table (you can give a few fields of relevance and value variants of importance), then illustrate desired output from the data with a table, then explain the logic to arrive at desired output from illustrated data as if you have no Splunk.