Update savedsearches.conf

Author: gjanders

default/savedsearches.conf

@@ -7801,11 +7801,11 @@ search =  index=_audit `searchheadhosts` search=* lookup OR outputlookup OR inpu
 ``` remove append= local= update= key_field= as that will confuse the regexes to extract the lookup file name ```\
 | rex field=search mode=sed "s/(append|local|update|key_field)\s*=\s*\S+\s+/ /g"\
     ``` deal with standard | inputlookup, | outputlookup or | lookup ``` \
-| rex max_match=20 field=search "(?ms)\|\s*(?P<operation>((input|output)?lookup|apply))\s+\"?(?P<lookup_file>[^\"\s'\|\]]+)"
+| rex max_match=20 field=search "(?ms)\|\s*(?P<operation>((input|output)?lookup|apply))\s+\"?(?P<lookup_file>[^\"\s'\|\]]+)" \
     ``` deal with | from:inputlookup: "lookupfile.csv" ``` \
 | rex max_match=20 field=search "(?ms)\|\s*from\s+(?P<operation>inputlookup):\s*\"?(?P<lookup_file2>[^\"\s'\|\]]+)"\
     ``` deal with subsearches with [ inputlookup ] or [ outputlookup ] ``` \
-| rex max_match=20 field=search "(?ms)\s*\[\s*(?P<operation>((input|output)?lookup)|apply)\s+\"?(?P<lookup_file3>[^\"\s'\|\]]+)" 
+| rex max_match=20 field=search "(?ms)\s*\[\s*(?P<operation>((input|output)?lookup)|apply)\s+\"?(?P<lookup_file3>[^\"\s'\|\]]+)" \
 | rex max_match=20 field=search "(?ms)\s*\[\s*from\s+(?P<operation>inputlookup):\s*\"?(?P<lookup_file4>[^\"\s'\|\]]+)"\
     ``` this one occurs in sub-searches for example search=' inputlookup filename.csv' could work in a pure-subsearch only, otherwise it's missing the | symbol at the start ``` \
 | rex max_match=20 field=search "(?ms)(^\s*|\s*\|\s*)(?P<operation2>((input|output)?lookup|apply))\s+\"?(?P<lookup_file5>[^\"\s'\|\]]+)" \