I have a multi-value field that contains IP-Adr and MAC-Adr and want to seprate them into single value fields. Sounds easy but the name of the field is 'host.address{@addr}', because of the xml-parsing.
Something like the following doesn't work because of "Error in 'eval' command: The expression is malformed. Expected ).":
index=network_nmap host.address{@addr}=*
| eval test=mvindex(host.address{@addr},0)
What's my way out? Thanks in advance.
Have you tried wrapping the field name in single or double quotes.
Like this:
`| eval test=mvindex("host.address{@addr}",0)`
or
`| eval test=mvindex('host.address{@addr}',0)`
I just tried it with double quotes but it works with single ones.
Have you tried wrapping the field name in single or double quotes.
Like this:
`| eval test=mvindex("host.address{@addr}",0)`
or
`| eval test=mvindex('host.address{@addr}',0)`