Is there a way to set a Field Alias as search time, I am building a report looking at Windows Event IDs, In this case I want to know if the User or The User_Name field are = to something. This would be simple with an OR but I am using an inputlookup sub search to get the list of users from a CSV.
rename replaces the target field, even if there was something there before, if it appears consecutively like this:
mysearch | rename User as user | rename User_Name as user
rename only coalesces if it appears for both fields within the same pipe like this:
mysearch | rename User as user User_Name as user
You can handle that in subsearch query itself.
e.g. |inputlookup yourlookup.csv | eval User=UserName | table User, UserName | format "(" "(" "OR" ")" "OR" ")"