Archive
Highlighted

Extract values from a multivalue-field

Explorer

I have a multi-value field that contains IP-Adr and MAC-Adr and want to seprate them into single value fields. Sounds easy but the name of the field is 'host.address{@addr}', because of the xml-parsing.

Something like the following doesn't work because of "Error in 'eval' command: The expression is malformed. Expected ).":

index=network_nmap host.address{@addr}=*
| eval test=mvindex(host.address{@addr},0)

What's my way out? Thanks in advance.

Tags (1)
0 Karma
Highlighted

Re: Extract values from a multivalue-field

Champion

Have you tried wrapping the field name in single or double quotes.

Like this:

`| eval test=mvindex("host.address{@addr}",0)`

or

`| eval test=mvindex('host.address{@addr}',0)`

View solution in original post

0 Karma
Highlighted

Re: Extract values from a multivalue-field

Explorer

I just tried it with double quotes but it works with single ones.

0 Karma