Scenarios:
1) searching email logs for an exact subject so I use quotes
index=mail sourcetype=xemail subject = "exact subject"
2) searching email logs for subjects that contains [blah blah] so I use *
index=mail sourcetype=xemail subject = *blah blah*
But what about * "blah blah" or * "blah blah" * or "blah blah" * ?
Can anyone explain the best way to search by "is" or "contains" ?
Thank you
