Do you need to return output from one section of a chain search to another, like when writing a function in a programming language I've assumed that a chained search would, as a user, act in a similar fashion to concatenating both searches, but with a really DRY efficiency - so superb use for dashboarding as often the material being presented shared a common subject. There are certain queries I am running that break when used in a chained order - am I missing some kind of return function needed?

So when an upstream error is logged in our splunk it has two fields that contain all the information about the error. So I created a nice little query to show a simple table of the two fields: stats values(errorMessage) by errorCode However for one of the error messages in the errorMessage field it can contain an id for the current transaction with the server. So when we scale up and release this table will contain hundreds of values for a single error type. Examples of the types of errors (obviously sanitized without actual data): errorCode: Not Required, errorMessage: [Error: Not Required] 400: Downgrade for transactionId=00000000000: type=01 country=GB errorCode: Not Required, errorMessage: [Error: Not Required] 400: Downgrade for transactionId=00000000001: type=01 country=GB errorCode: Invalid Request Parameters, errorMessage: [Error: Invalid Request Parameters] 400: Value of 30 for field not valid errorCode: undefined, errorMessage: [Error: undefined] 400: undefined errorCode: undefined, errorMessage: [Error: undefined] 500: undefined So I would like the values(errorMessage) to group the first two items as a single entry so if I could create a new variable without the transactionId or replacing it with the same value, the information would be much easier to read and present for error triage in our dashboard because the transaction id is not important for seeing an error trend. Not super great with Regex but I feel there is something that would work to just find a field of numbers with a specific length and remove them or replace them. Is that possible? Thanks

Hello, The rex command to catch and group the Accesses multi values are not working even though the results in regex101 are fine. Could you guys tell me what I am missing? Test Log:   12/12/2012 04:25:13 PM LogName=Security EventCode=5145 EventType=0 ComputerName=test.corp SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=2049592111 Keywords=Audit Success TaskCategory=Detailed File Share OpCode=Info Message=A network share object was checked to see whether client can be granted desired access. Subject: Security ID: User\Test Account Name: Test Account Domain: Test Logon ID: 0x117974CE Network Information: Object Type: File Source Address: ::1 Source Port: 51234 Share Information: Share Name: \\*\C$ Share Path: \??\C:\ Relative Target Name: Users\Test\Desktop Access Request Information: Access Mask: 0x100081 Accesses: SYNCHRONIZE ReadData (or ListDirectory) ReadAttributes Access Check Results: -     Splunk Rex Query:   ... | rex field=Body ".*Access Mask.*\sAccesses:\s(?<Accesses2>.+?)Access\sCheck Results\:.*"     Thanks, Regards,