Hello,
I have a problem with a subsearch in which I try to filter the results of the main search. The search looks like this:
index = any sourcetype = log
[search index = any sourcetype = log
|eval user = "ANU"
|eval user = if( user LIKE "ANO" OR user LIKE "ANA","|stats count by UserId","|sendemail ...")
|return $user]
The problem is now that the subsearch returns more than one value. So if the user is not like ANO the search is sending 30 emails instead of just one and also "stats count by UserId" is set in the main search mor than one time. I think that the if clause causes that problem.Is ist possible to end the subsearch after one result or just return values after the complete subsearch is completed?
Greetings
... View more