the large size logs like as below

it's not a regular json data, therefore need to using rex to get fields

A logs have name and uid

B and C logs have uid and oid

the dashboard accept input name, it allow multiple name with comma

then using the name to find the uid and figure out the related uid and oid data from B logs and exclude from c logs

so, I don't know how to 

1. in a search statement substitute using the value of users be a keyword

2. combine the field data with comma for using  function search data in (...) 

Thanks.

--

for example:

A logs:
... x1 ...uid=123...
... y2 ...uid=456...
... z3 ...uid=789...

B logs:
.... oid=989 ...uid=123 ...
.... oid=566 ...uid=456 ...
.... oid=486 ...uid=789 ...

C logs:
...cancel_order... oid=989 ...uid=123 ...
...cancel_order... oid=566 ...uid=456 ...
...cancel_order... oid=486 ...uid=789 ...

a dashboard has a input box text: users, and user can input multiple users with comma
the value of users will be like "x1,z3"

I wont to put the value in a search statement
such us

| makeresults
| eval users="x1,z3"

| eval names=replace(users, ",", " OR ")    =>excepted result: x1 OR z3
| search source="alog" $names$     => Substitute the names value into keyword
| rex "name=(?<name>\S+)"
| rex "uid=(?<uid>\d+)"
| table name,uid
| join type=left max=0 uid
[
source="blog" 
| rex "uid=(?<uid>\d+)"
| rex "oid=(?<oid>\d+)"
| search uid in (uids)    => uids combin the uid values with comma ex: (123,456,789)
| table uid,oid
]
| join type=left max=0 oid
[
source="clog" cancel_order
| rex "uid=(?<uid>\d+)"
| rex "oid=(?<oid>\d+)"
| search uid in (uids)    => uids combin the uid values with comma ex: (123,456,789)
| table uid,oid,status
]
| where isnull(status)
| stats count(oid) by name