Hi there, I have a search below:
host = xxx.xxx.xxx.xxx AND duration
| rex field=_raw (something)
| rex field=_raw (something)
| rex field=_raw (something)
| rex field=_raw (something)
| rex field=_raw (something)
| rex field=_raw (something)
| rex field=_raw (something)
| rex field=_raw (something)
| replace (something) with (something)
| rex field=_raw (something)
| replace (something) with (something)
| rex field=_raw (something)
| replace (something) with (something)
| rex field=_raw (something)
| replace (something) with (something)
| rex field=_raw (something)
| replace (something) with (something)
| rex field=_raw (something)
| replace (something) with (something)
| rex field=_raw (something)
| replace (something) with (something)
| rex field=_raw (something)
| rex field=_raw (something)
| rex field=_raw (something)
| rex field=_raw (something)
| rex field=_raw (something)
| rex field=_raw (something)
| rex field=_raw (something)
| rex field=_raw (something)
| replace (something) with (something)
| rex field=_raw (something)
| replace (something) with (something)
| rex field=_raw (something)
| replace (something) with (something)
| rex field=_raw (something)
| replace (something) with (something)
| rex field=_raw (something)
| replace (something) with (something)
| rex field=_raw (something)
| replace (something) with (something)
| rex field=_raw (something)
| replace (something) with (something)
| rex field=_raw (something)
| rex field=_raw (something)
| rex field=_raw (something)
| replace (something) with (something)
| rex field=_raw (something)
| replace (something) with (something)
| rex field=_raw (something)
| replace (something) with (something)
| rex field=_raw (something)
| replace (something) with (something)
| rex field=_raw (something)
// At this point, all subsequent conditions are not run anymore
| replace (something) with (something)
| rex field=_raw (something)
| replace (something) with (something)
| rex field=_raw (something)
| replace (something) with (something)
| rex field=_raw (something)
| replace (something) with (something)
| search API=(something)
| rex field=_raw (something)
| sort 1 - duration
Is there a way to increase the number of conditions to enable the entire search to be done?
@zongwei
Can't you use IFX to extract the values and then use them directly in your query? It may save all those pain of writing the regex expressions.
Hi @ pramit46
Would you mind to elaborate? Also, all the regex expression are to extract different information to be used in displaying, thus that many regex and replace renaming.