I have a search that needs to search in several indexes ending with several words, ex:
index=stuff-xxx or index=stuff-yyy or index=stuff-zzz ...
but these xxx, yyy and zzz 'words' are more than 20 and counting, so is there a way to do something like this?:
Note: do not suggest a star/asterisk wildcard, I need to ignore everything else, I don't need indexes like stuff-aaa.
create a macro maybe?
(index = stuff-xxx OR index = stuff-yyy OR index = stuff-zzz OR index = stuff-xyz)
save it and name it as you please.
now search myMacro ... rest of search
docs article here:
hope it helps
Try like this
[| gentimes start=-1 | eval index="xxx yyy zzz ppp qqq...all other separated by space" | table index | makemv index | mxpand index | eval index="stuff-".index ] ...rest of the search
The subsearch will dynamically generate that OR list for you, so you just need to add the keyword in the
eval index="xxx... part.
search = index=stuff-xxx OR index=stuff-yyy ...
Search query :