Similarly, I want to make a group/eventtype of events from a certain sourcetype where the LOGINID values are all 12 characters long. I can get these events out using pipes and regexes, but then eventtypes does not accept search queries with pipes. Is there a way to extract the LOGINID length as a seperate field that I can use to search on in my eventtype query?
