I have a search with a bunch of OR's and I wanted to replace it with "IN" however I do not get the same results.
My working search is :
index="mimecast" (Sender="*gmail.com" OR Sender="*@outlook.com" OR Sender="*@my.com" OR Sender="*@mail.ru") AND (Subject="*Availab*" OR Subject="*Urgent*" OR Subject="*Hello*" OR Subject="*Request*")
| stats count by Sender,Subject
| where count >=4
| sort -Count
My modified, non-working search is:
index="mimecast" Sender in ("*gmail.com","*@outlook.com","*@my.com","*@mail.ru") AND Subject in ("*Available*","*Urgent*","*Availability*","*Hello*","*Request*")
| stats count by Sender,Subject
| where count >=4
| sort -Count
Can anyone explain why the first version works and the second does not? I've tried using brackets () in different places etc byt cannot get any results to be returned.
Thanks!
↧