I tried the above query but still did not return any results. However using format directive seems to work.
So now my query is like:
source="file2" [search source="file1" "aaa bbb ccc" | rex "aaa bbb ccc (?<extraction_name>.*) ddd" | stats count by extraction_name | fields + extraction_name | format | eval search =replace(search, "extraction_name=", "")]
I ran the subquery alone from above and saw that the results returned were like so:
((STRING I NEED 1) OR (STRING I NEED 3) OR (STRING I NEED 3))
which is exactly what I need to be searched in the outer query.
In the query mentioned in the question, the intention was that the subquery would return something along:
("STRING I NEED 1" "STRING I NEED 2" "STRING I NEED 3")
It turned out it didn't so, I don't understand why.
Thanks.
... View more