So I have multiple fields whose field names could end with a different values. Examples of these fields are below: foo.foo_a = 1 foo.foo_b = 2 foo.foo_123 = null foo.foo_test = 4 What I want to do is combine all of these values into a single value. Essentially, I want a new value like below new_value= foo.foo_* where new_value would then be equal to: 1 2 4 If anybody could help guide me on this, it would be greatly appreciated. I was hoping that something like stats list(foo.foo_*) by field would have worked, but it doesn't provide the output that I am looking for, which is all of the fields combined into one. ... View more

I have multiple events that are related by a similar sessionID. One event contains an employerCode, which is what I would want the input on the dashboard to be. I have hardcoded that to 00000 for now. I am looking to have by subsearch look for all logs associated with that employerCode, and pull out all SessionID's. When I run this subsearch by itself, it works fine. sourcetype="ta" index="p_r" "employer code [00000]" | rex field=_raw "SessionID:\[(?.*)\];" | dedup sid | table sid Results: sid S1 S2 S3 etc. However, I am now wanting to find all logs that contain those SessionID's and the phrase "ReasonCode". I have attempted to use the following query, but am not getting any results: sourcetype="ta" index="p_r" "ReasonCode" [search sourcetype="ta" index="p_r" "employer code [00000]" | rex field=_raw "SessionID:\[(?.*)\];" | dedup sid | table sid] However, if I were to try the following query by hardcoding the sessionID, I get what I am looking for: sourcetype="ta" index="p_r" "ReasonCode" "S1" It would be very appreciated if somebody could help me resolve my issue and point out my mistake. ... View more