I have a bunch of existing regexs that operate on an HTTP URI (E.g., "/foobar?x=1&y=2"). I have logs of two different source types, one in which the URI is reported as a single field, and another in which the query portion of the URI is elswhere in the event (E.g., "/foobar HTTP/1.1 200 x=1&y=2"). I see that I can define an index-time field that concatenates the base URI and its query string. But is there a search-time way to do this?
If there is a succinct way to apply a transform to multiple SOURCE_KEYs without duplicating the REGEX, that would be fine too.
