Great! It works for 80% of my alerts. index=dynatrace sourcetype=alert | table dtIncidentViolations.* | transpose | table column | rex field=column "(?P\w+)(?:\{| \((?[\w_@\.]+))" Is it possible to make fields APP and JVM two new interesting fields ? It will be more easy to use it because my search will look like that and won't be easy to modify : index = dynatrace sourcetype = alert ( MAE ) OR ( FILIP ) OR ( GAEL ) OR ( BOUTIQUESVIR ) OR ( APOGEE ) OR ( NEWAUTO ) | table dtIncidentName dtIncidentViolations.* | transpose 500 column_name="Appli" header_field=dtIncidentName include_empty=false | rex field=Appli "(?P\w+)(?:\{| \((?[\w_@\.]+))" | stats count("Failure rate too high") as "Taux d'erreur", count("Average response time degraded") as "Tps réponse dégradé",count("Application Process Unavailable (unexpected)") as "Perte connectivité JVM",count("Application Process Out-of-Memory") as "Out-of-Memory" by APP ... View more

Result of this search is : dtIncidentViolations.Application Response Time - DB Time [] BOUTIQUESVIR{} dtIncidentViolations.Application Response Time - PurePath Response Time [] Icone{} dtIncidentViolations.Application Response Time - PurePath Response Time [] Maestro{} dtIncidentViolations.Application Response Time - Time [] BOUTIQUESVIR{} dtIncidentViolations.Application Response Time - Time [] FILENET{} dtIncidentViolations.BV - ouvrirSession BOUTIQUESVIR{} dtIncidentViolations.Failed Transaction Count BOUTIQUESVIR (b2b2c_pr02@...){} dtIncidentViolations.Failed Transaction Count Epj (epjgds_pr02@...){} dtIncidentViolations.Failed Transaction Count Gael (gaelsv_pr01@...){} dtIncidentViolations.Failed Transaction Count Gael (gaelsv_pr03@...){} dtIncidentViolations.Failed Transaction Count Gael (gaelsv_pr04@...){} dtIncidentViolations.Failed Transaction Count Gb2000 (gb2k_pr01@...){} dtIncidentViolations.Failed Transaction Count Lea (leacoll_pr02@...){} dtIncidentViolations.Failed Transaction Count Rce (refcli_pr02@...){} dtIncidentViolations.Failed Transaction Count Trajectoire (trajec_pr02@...){} dtIncidentViolations.Failed Transaction Count of Application Response Time [] BOUTIQUESVIR{} dtIncidentViolations.Failed Transaction Count of Application Response Time [] Gael{} dtIncidentViolations.Failed Transaction Count of Application Response Time [] Gb2000{} dtIncidentViolations.Failed Transaction Count of VL2-ResponseTime BOUTIQUESVIR{} dtIncidentViolations.Failed Transaction Count of VL2-ResponseTime Gael{} dtIncidentViolations.Failed Transaction Count of VL2-ResponseTime Gb2000{} dtIncidentViolations.Failed Transaction Count of Web Page Requests [<...>] ELISAWEB (elisa_pr01@...){} ... I would like add a rex command to put for example BOUTIQUESVIR in a field app and b2b2c_pr02 in a field JVM. The main issue is that I have more than 300 fields named dtIncidentViolations.* and information on app and JVM are not in the same place... ... View more