Do you mean you are passing these values into a search,e.g. index=foo $status_token$ | ...
?
If so, you can use gentimes
and format
to reformat the value.
Suppose your field is called "status" and you want to search (status=new OR status=active OR status=reopen). So, assuming I understand your plan is to set the token value to "new active reopen", you can use the following to search using OR instead of AND logic.
index=foo [| gentimes start=-1 | eval status = "$status_token$" | table status | makemv status | mvexpand status | format]
This should get converted to the following when applied
index=foo ( ( status="open" ) OR ( status="new" ) OR ( status="reopen" ) )
@kiran331, did my answer help you? If so, please accept it. If not, please clarify.
It worked Thanks!
Do you mean you are passing these values into a search,e.g. index=foo $status_token$ | ...
?
If so, you can use gentimes
and format
to reformat the value.
Suppose your field is called "status" and you want to search (status=new OR status=active OR status=reopen). So, assuming I understand your plan is to set the token value to "new active reopen", you can use the following to search using OR instead of AND logic.
index=foo [| gentimes start=-1 | eval status = "$status_token$" | table status | makemv status | mvexpand status | format]
This should get converted to the following when applied
index=foo ( ( status="open" ) OR ( status="new" ) OR ( status="reopen" ) )