Try something like this run-anywhere example. I'll leave to you get the logtype field into the subsearch.
| makeresults | eval _raw="This event contains user=002 so it should match system logtypes"
| regex _raw=[|makeresults | eval logtype="system" | eval match=case(logtype="application","user=002", logtype="system","suser=004", 1==1, "XXnoMatchXX") | return $match]
---
If this reply helps you, Karma would be appreciated.
