How to assign value to a field which is not present in some of the events and compare that value with other values from other events where that field is present?
I have events where field named "SSLProxyEngine" have values "ON" or "OFF" for some of the events but for some events that field is not present. I want to assign value "NONE" to SSlProxyEngine where the field is not present and then compare this value with othere events value.
How can I do that?
Hi abhi04,
first you run your search to get the events and add an eval
statement to check if the field exists or not, and if not assign it the value. Try this:
your search here
| eval SSLProxyEngine = case(isnull(SSLProxyEngine), "NONE", isnotnull(SSLProxyEngine), SSLProxyEngine, 1=1, "unknown")
the last option is for events that does not match anything 😉
Hope this helps ...
cheers, MuS
| eval yourfield=if(isnull(yourfield),"NONE",yourfield)