since one of the username need to be simulate with regex query . I am forced to use regex
how can I do it so that I simulate kind of OR condition between main and sub search query
index=main suser IN("abc","def") [search regex suser =”DEF[0-9]" AND EventID IN("323","322") | fields suser] | table suser field1 field2
i am little confused about this OR requirement and i am little confused on the regex inside subsearch as well. maybe if you give us some sample logs, the subsearch may not be needed altogether. h
(i received 100 karma points giver badge, have you?!?!)
View solution in original post
thanks for your support. sample log I can not give.
the problem is I have a special username which need to be simulate with regex.
since I can not user regex into IN function. so I just want to simulate it separately.
maybe I use unnecessary function. maybe we can do it much easier. I am not sure.
no need to write us the full logs. you can hide/edit the hostnames/confidential info in the logs and update us the sample log.