Ex:
sourcetype=abcd [search sourcetype=xyz field1=200 | table field2,field3,field4] which will be literally
sourcetype=abcd [search field2="returned value" AND field3="returned value" AND field4="returned value" ]
Is it possible to run
sourcetype=abcd [search field2="returned value" OR field3="returned value" OR field4="returned value"]
given that the field name conventions are same in both the sourcetypes.
... View more