I am decoding fields and appending or replacing them in events. I would like to search on the newly appended or replaced values, but I am having difficulty forming the search. Has anyone gotten this to work? An example would be excellent.
That should help:
source="/tmp/tmp.log" | base64 field="secret" action="decode" | search secret="*127.0.0.1*"