Is there a way to search a field for each word in a token?
Let's say that a user enters:
$mytoken$ = "value1 value2"
into a dashboard form and you want a panel to:
index=myindex $mytoken$ | search field1=value1 OR field1=value2
How do I search for either value in that field? The user may enter more than 2 words in the input field and any word entered should be added to the "OR" list.
Maybe a subsearch like:
| search [| stats count | eval field1=$mytoken$ | table field1 | makemv field1 delim=" " allowempty=t| mvexpand field1 ]
Is the subsearch approach a good idea or is there a better way?
↧