I am not seeing extracted field against below query.
index=fireeye | eval {flexString2Label} = flexString2
below are crossponding values in CEF formatflexString2Label = subjcect
flexString2 = "a test message"
Please advise that what I a missing
| makeresults | eval flexString2Label = "subject",flexString2 = "a test message" | eval {flexString2Label} = flexString2
this is OK. maybe, flexString2Label OR flexString2 field does not extracted.
flexString2Label
flexString2
View solution in original post
