Is it just me or can you not do a subtring search with something like "data=substring"? For example if my data contains the string:
I can search for that full string using data=http://substring/foo/baz?bar but not the data search above. This seems quite odd to me. I have tried it with multiple fields in both indexed and raw mode.
If this is not possible it would be a great feature. I suppose what seems odd to me is that if the same log was in the siem I could do a substring search.