|
I want a form that will allow a user to "build" the appropriate "source" (or log file name) based on selecting various pieces of data. So the fields will be like this: Date Application Server I want to then build a string to use in the search. Trying to use eval but getting now where.... sourcetype=MySourceType | eval sourcelog=Date."-".Application."-".Server.".log" |search source=sourcelog This always returns 0 results. If I leave out the search function, the sourcelog field is populated. Once I can get this search to work, I can use it in the populatingsearch function of the form. Ideas? |
|
When comparing two fields you want to use the Great hazekamp, thanks for the help. That works, but I still have a problem. Of course, when defining source=, I can use wild cards. However, when I place wildcards into sourcelog, and then use the where source=sourcelog command, it fails. seems the where doesn't like wildcards. Ideas?
(14 Jul '11, 12:32)
timmy13
|
