Why can’t this work?
where(“” CONTAINS-ANY [${MyBadUsers}])
I want to search multiple log sources for strings that are in my custom variable.
You have to have a key set in order to compare values to the contents of your variable, you cannot simply search everywhere for the contents of your variable.
Instead it would need to be
where(keyname CONTAINS-ANY [${MyBadUsers}]
you can use the suggest keys which will autopopulate the available keys by typing this
where(“”) and placing your cursor between the “double quotes”
Depending on your logs the key for users will be different.
An alternative approach would be to simple take the list of users from your variable and run
where(user1 OR user2 OR user3, loose) and it will search everywhere for those users. Loose search means case insensitive and partial matching.
David
Thanks David.
It would be nice if the key names were the same between log sources. 