We've tagged our hosts which we can search for by 'tag::host', but how do we reference that field from an eval command? Do we first need to rename it or is there a direct way?
Hi gilescope,
this is possible. I used a tag called foo-box for a special host and if you search like this
foo-box
your base search here | where 'tag::host'="foo-box"
you can use it without any problem.
cheers, MuS
View solution in original post
ah yes. single quotes is perfect. I tried double quotes but that turns out as a string constant.
well where is an eval command .... can you provide an example of yours which does not work?
where
Yes this works for search, but I want to include the tag::host field in an eval expression.
