Adding Characters to the beginning of a field only...

ajdyer2000 · ‎02-14-2017

Hi

I have a search that returns a field called "Administrators"

Administrators

\DomainAdmins
\Backup Group
\Eventlog Administrators
user1
user2

for every entry that has a \ at the beginning I would like to put the word "Domain"

Domain\DomainAdmins
Domain\Backup Group
Domain\Eventlog Administrators
user1
user2

ajdyer2000 · ‎02-15-2017

Hi what would the new search look like?

somesoni2 · ‎02-15-2017

In @nickhillscpl's answer, replace first * with whatever search you've right now. Just add that | eval administrator... to end of your search.

nickhills · ‎02-15-2017

can you provide the search you are using now?

If my comment helps, please give it a thumbs up!

nickhills · ‎02-14-2017

This should work for you:

*|eval administrators=if(match(administrators, "^\\\.+"), "Domain".administrators, administrators)|table administrators

If my comment helps, please give it a thumbs up!

ajdyer2000 · ‎02-14-2017

I get no results found with that

nickhills · ‎02-14-2017

whats your starting search?

If my comment helps, please give it a thumbs up!

DalJeanis · ‎02-14-2017

Probably want to put a carat ^ at the start of that, so it only matches at the beginning of the string.

"Match" returns true if the REGEX can find a match against any substring of SUBJECT.

nickhills · ‎02-14-2017

good point. edited.

If my comment helps, please give it a thumbs up!

Adding Characters to the beginning of a field only when field starts with "\"