I am not seeing extracted field against below query.
index=fireeye | eval {flexString2Label} = flexString2
below are crossponding values in CEF format
flexString2Label = subjcect
flexString2 = "a test message"
Please advise that what I a missing
| makeresults
| eval flexString2Label = "subject",flexString2 = "a test message"
| eval {flexString2Label} = flexString2
this is OK.
maybe, flexString2Label
OR flexString2
field does not extracted.
| makeresults
| eval flexString2Label = "subject",flexString2 = "a test message"
| eval {flexString2Label} = flexString2
this is OK.
maybe, flexString2Label
OR flexString2
field does not extracted.