Looking for help framing a query for the following scenario:
index=index "designated field"
Events show the that there are multiple values for the field (these are log message types):
Want to enumerate all of the fields that are associated with each: designated_field.TypeN (i.e. each log message type has sub-fields associated with each log message type.)
So for Type1:
So I am imagining my query goes like this:
| <enumerate each of the values in designated_field>
| <pull our the field names for each of the values that were enumerated>
| <form a table with a column listing the values and then a second column showing all of the field names associated with each value>
Thanks for taking the time to respond. I had thought I had responded to this, but it seems the forum ate my reply.
Time Designated_Field Sub-Field Name
21:21 01 - Logon User
21:22 02 - Logoff User
21:23 04 - IP Address Assigned Host
NOTE: Designated_Field is a field, whose values are extracted and displayed per event, in the third column are the sub-field names associated with the values in the second column.
I am not sure I understand the ask here - please can you share some realistic events and a representation of your expected output. Please include the events in a code block </> to preserve the formatting of the events.
Thanks for engaging my question.
Time | Designated_Field | Sub-Field
21:23 01 - Logon User
21:25 02 - Logoff User
So note that (01 - Logon, 02 - Logoff) are the values in the field: Designated_Field. By contrast, (User, Host, Logon Domain) are field names (like Designated_Field).