I am having a problem with what i believe is writing a regex to clean up some events before i report on them in dashboard. I am pulling specific security events from windows and each event should return a username and a domain. I am getting those results, but with each, it is also returning a second data item "-". That is throwing things off/making it look ugly and i havent had much luck ripping it out. Hoping someone can assist and possibly explain what the solution is doing? I tried to do an eval replace for the field where "-" is replaced with "" but then none of my events showed up so clearly that was wrong. A sample event looks like this to help clarify what i am getting:
I basically need to drop the first line from both the "Account" and also "Account_Domain" so that i would only get service. and PF as values.
As always, help is greatly appreciated.
| eval Account_Domain=mvindex(Account_Domain,1), Account_Name=mvindex(Account_Name,1)
| eval Account_Domain=mvindex(Account_Domain,1), Account_Name=mvindex(Account_Name,1)
So the mvindex basically says for that field, choose in this case, the 2nd value for the field as the only value for that field?
yes, considering second value.
Account_Name and Account_Domain fields are multi value fields and fields index start from 0 means 1st value. in our case we needed to consider second value so it would be index 1. hope its clear.
It is! Thank you so much!