In Enterprise Security, for a drill down action I want to use a field from the notable events, which can have multi valued fields as well.
In this case, if I simply do my_field_in_the_search=$myfield_in_the_notable$ in the drilldown search, the values are presented as follows:
my_field_in_the_search=value1,value2,value3
It cannot be used like this obviously, I would like to achieve something like
my_field_in_the_search=value1 OR my_field_in_the_search=value2, etc...
Is it possible to do this somehow?
It seems a bit much to have to do, but this would work, as long as some value is selected...
Instead of ...
index=foo my_field_in_the_search=$myfield_in_the_notable$
...you could code the search...
index=foo [| makeresults |eval my_field_in_the_search=$myfield_in_the_notable$ | makemv delim="," my_field_in_the_search | mvexpand my_field_in_the_search | table my_field_in_the_search | format]
And the format
command will turn it into ...
((my_field_in_the_search=value1) OR (my_field_in_the_search=value2)....)
It seems a bit much to have to do, but this would work, as long as some value is selected...
Instead of ...
index=foo my_field_in_the_search=$myfield_in_the_notable$
...you could code the search...
index=foo [| makeresults |eval my_field_in_the_search=$myfield_in_the_notable$ | makemv delim="," my_field_in_the_search | mvexpand my_field_in_the_search | table my_field_in_the_search | format]
And the format
command will turn it into ...
((my_field_in_the_search=value1) OR (my_field_in_the_search=value2)....)
This is great, thanks!