This is almost perfectly exactly what i'm looking for, the only thing, and this is probably my fault for not elaborating, but "dept_LV*" wont always be "dept_LV" it could be "site_LA" "org_NY". i need the "search" function to use the variable rather than a manual string... for instance:
source = "source_1" OR source = "source_2"
| eval matchID=coalesce(lookupfield, actual_field)
| search matchID = lookupfield
| table costcenter, location, building_number, caption
I even tried:
source = "source_1" OR source = "source_2"
| eval matchID=coalesce(lookupfield, actual_field)
| where like (matchID, lookupfield)
| table costcenter, location, building_number, caption
but it's just not triggering on that search. Another way of asking, is is there a way for a search clause to match 2 fields with a wildcard?
... View more