I see a column with name search and value (""field1"") Do we need to have field1 inside parentheses and two double quotes? Field label "search" in a subsearch is a pseudo keyword for "use as is...
See more...
I see a column with name search and value (""field1"") Do we need to have field1 inside parentheses and two double quotes? Field label "search" in a subsearch is a pseudo keyword for "use as is literal" in a search command. No, they should NOT have two quotation marks on each side. Maybe your lookup values insert one additional set of double quotes? If so, we can get rid of one set. Here is my emulation | makeresults format=csv data="id,Messages
,a
,b
,c
,d"
``` the above emulates
| inputlookup messages.csv
```
| fields Messages
| rename Messages as search
| format "(" "\"" "" "\"" "," ")"
| rex field=search mode=sed "s/ *\" */\"/g" Output only contains one set of double quotes search ("a","b","c","d")