My data for field entity contains either a username or an ip address.
How can make a new field for either user or src_ip?
for example
entity=rhoward
entity=10.0.0.1
entity=192.168.1.1
entity=jbozo
I would like a new field for user and src_ip
Thank you!
Hello
You could create two new fields from the entity one, like:
| eval user=if(match(entity, "[a-zA-Z]+"), entity, null) | eval src_ip=if(match(entity, "^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$"), entity, null)
Regards
Hello
You could create two new fields from the entity one, like:
| eval user=if(match(entity, "[a-zA-Z]+"), entity, null) | eval src_ip=if(match(entity, "^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$"), entity, null)
Regards
Thanks for the points omgwut56k. If you feel the solution works, please mark it as solved. thanks
I 'accepted' the answer. Not sure where here to mark it as solved.
"Accepted" == solved.
This is a job for coalesce
.
... | eval newField=coalesce(user, src_ip) | ...
Thank you. However if the field has an ip address I would like that to be expressed src_ip, if it's a user I would like it expressed as user.. Is that possible?