For example, if I have a proxy log, and it shows User=A, then In the URL field we have "http://somesite.com/parameter=A", I want it to be able to pull up those logs.
You can make that comparison by using where like()
in this way:
| where like(URL, "%".user."%")
Here's some sample run-anywhere code. Everything before the where like()
line is just making a couple of test events:
| makeresults
| eval user="Alex", URL="http://somesite.com/parameter=Alex"
| append
[| makeresults
| eval user="Beth", URL="http://somesite.com/parameter=Baloney"]
| where like(URL, "%".user."%")
Note that the %
are being appended to the start and end of the user
field for the comparison, because these are the wildcards for the like
function.
You can make that comparison by using where like()
in this way:
| where like(URL, "%".user."%")
Here's some sample run-anywhere code. Everything before the where like()
line is just making a couple of test events:
| makeresults
| eval user="Alex", URL="http://somesite.com/parameter=Alex"
| append
[| makeresults
| eval user="Beth", URL="http://somesite.com/parameter=Baloney"]
| where like(URL, "%".user."%")
Note that the %
are being appended to the start and end of the user
field for the comparison, because these are the wildcards for the like
function.
Please share some sample events.