I would like all the results from a field extraction in search "A" to be used as search criteria in search "B". I am using a subsearch for this, however for some reason only the top result for the field in search "A" is being used in search "B", where I want all the values to be used. Individually search A returns multiple results, and I can find these results in search B but not together:
`index= sourcetype= other search foo [search index= sourcetype= extra search foo | rex field=_raw "some regex(?)" | dedup my_field | fields my_field | rename my_field as search ]`
For example my_field should return a bunch of values e.g. 1, 2, 3, 4, 5 but only "1" is being used in the parent search.
Any ideas why it isn't using all of the values with implicit "OR" between??
↧